2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
21 #include "ssltestlib.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "internal/ktls.h"
26 #include "../ssl/ssl_locl.h"
28 #ifndef OPENSSL_NO_TLS1_3
30 static SSL_SESSION *clientpsk = NULL;
31 static SSL_SESSION *serverpsk = NULL;
32 static const char *pskid = "Identity";
33 static const char *srvid;
35 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
36 size_t *idlen, SSL_SESSION **sess);
37 static int find_session_cb(SSL *ssl, const unsigned char *identity,
38 size_t identity_len, SSL_SESSION **sess);
40 static int use_session_cb_cnt = 0;
41 static int find_session_cb_cnt = 0;
43 static SSL_SESSION *create_a_psk(SSL *ssl);
46 static char *cert = NULL;
47 static char *privkey = NULL;
48 static char *srpvfile = NULL;
49 static char *tmpfilename = NULL;
51 #define LOG_BUFFER_SIZE 2048
52 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
53 static size_t server_log_buffer_index = 0;
54 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
55 static size_t client_log_buffer_index = 0;
56 static int error_writing_log = 0;
58 #ifndef OPENSSL_NO_OCSP
59 static const unsigned char orespder[] = "Dummy OCSP Response";
60 static int ocsp_server_called = 0;
61 static int ocsp_client_called = 0;
63 static int cdummyarg = 1;
64 static X509 *ocspcert = NULL;
67 #define NUM_EXTRA_CERTS 40
68 #define CLIENT_VERSION_LEN 2
71 * This structure is used to validate that the correct number of log messages
72 * of various types are emitted when emitting secret logs.
74 struct sslapitest_log_counts {
75 unsigned int rsa_key_exchange_count;
76 unsigned int master_secret_count;
77 unsigned int client_early_secret_count;
78 unsigned int client_handshake_secret_count;
79 unsigned int server_handshake_secret_count;
80 unsigned int client_application_secret_count;
81 unsigned int server_application_secret_count;
82 unsigned int early_exporter_secret_count;
83 unsigned int exporter_secret_count;
87 static unsigned char serverinfov1[] = {
88 0xff, 0xff, /* Dummy extension type */
89 0x00, 0x01, /* Extension length is 1 byte */
90 0xff /* Dummy extension data */
93 static unsigned char serverinfov2[] = {
95 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
96 0xff, 0xff, /* Dummy extension type */
97 0x00, 0x01, /* Extension length is 1 byte */
98 0xff /* Dummy extension data */
101 static void client_keylog_callback(const SSL *ssl, const char *line)
103 int line_length = strlen(line);
105 /* If the log doesn't fit, error out. */
106 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
107 TEST_info("Client log too full");
108 error_writing_log = 1;
112 strcat(client_log_buffer, line);
113 client_log_buffer_index += line_length;
114 client_log_buffer[client_log_buffer_index++] = '\n';
117 static void server_keylog_callback(const SSL *ssl, const char *line)
119 int line_length = strlen(line);
121 /* If the log doesn't fit, error out. */
122 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
123 TEST_info("Server log too full");
124 error_writing_log = 1;
128 strcat(server_log_buffer, line);
129 server_log_buffer_index += line_length;
130 server_log_buffer[server_log_buffer_index++] = '\n';
133 static int compare_hex_encoded_buffer(const char *hex_encoded,
141 if (!TEST_size_t_eq(raw_length * 2, hex_length))
144 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
145 sprintf(hexed, "%02x", raw[i]);
146 if (!TEST_int_eq(hexed[0], hex_encoded[j])
147 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
154 static int test_keylog_output(char *buffer, const SSL *ssl,
155 const SSL_SESSION *session,
156 struct sslapitest_log_counts *expected)
159 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
160 size_t client_random_size = SSL3_RANDOM_SIZE;
161 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
162 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
163 unsigned int rsa_key_exchange_count = 0;
164 unsigned int master_secret_count = 0;
165 unsigned int client_early_secret_count = 0;
166 unsigned int client_handshake_secret_count = 0;
167 unsigned int server_handshake_secret_count = 0;
168 unsigned int client_application_secret_count = 0;
169 unsigned int server_application_secret_count = 0;
170 unsigned int early_exporter_secret_count = 0;
171 unsigned int exporter_secret_count = 0;
173 for (token = strtok(buffer, " \n"); token != NULL;
174 token = strtok(NULL, " \n")) {
175 if (strcmp(token, "RSA") == 0) {
177 * Premaster secret. Tokens should be: 16 ASCII bytes of
178 * hex-encoded encrypted secret, then the hex-encoded pre-master
181 if (!TEST_ptr(token = strtok(NULL, " \n")))
183 if (!TEST_size_t_eq(strlen(token), 16))
185 if (!TEST_ptr(token = strtok(NULL, " \n")))
188 * We can't sensibly check the log because the premaster secret is
189 * transient, and OpenSSL doesn't keep hold of it once the master
190 * secret is generated.
192 rsa_key_exchange_count++;
193 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
195 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
196 * client random, then the hex-encoded master secret.
198 client_random_size = SSL_get_client_random(ssl,
199 actual_client_random,
201 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
204 if (!TEST_ptr(token = strtok(NULL, " \n")))
206 if (!TEST_size_t_eq(strlen(token), 64))
208 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
209 actual_client_random,
210 client_random_size)))
213 if (!TEST_ptr(token = strtok(NULL, " \n")))
215 master_key_size = SSL_SESSION_get_master_key(session,
218 if (!TEST_size_t_ne(master_key_size, 0))
220 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
224 master_secret_count++;
225 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
226 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
227 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
228 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
229 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
230 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
231 || strcmp(token, "EXPORTER_SECRET") == 0) {
233 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
234 * client random, and then the hex-encoded secret. In this case,
235 * we treat all of these secrets identically and then just
236 * distinguish between them when counting what we saw.
238 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
239 client_early_secret_count++;
240 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
241 client_handshake_secret_count++;
242 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
243 server_handshake_secret_count++;
244 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
245 client_application_secret_count++;
246 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
247 server_application_secret_count++;
248 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
249 early_exporter_secret_count++;
250 else if (strcmp(token, "EXPORTER_SECRET") == 0)
251 exporter_secret_count++;
253 client_random_size = SSL_get_client_random(ssl,
254 actual_client_random,
256 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
259 if (!TEST_ptr(token = strtok(NULL, " \n")))
261 if (!TEST_size_t_eq(strlen(token), 64))
263 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
264 actual_client_random,
265 client_random_size)))
268 if (!TEST_ptr(token = strtok(NULL, " \n")))
272 * TODO(TLS1.3): test that application traffic secrets are what
275 TEST_info("Unexpected token %s\n", token);
280 /* Got what we expected? */
281 if (!TEST_size_t_eq(rsa_key_exchange_count,
282 expected->rsa_key_exchange_count)
283 || !TEST_size_t_eq(master_secret_count,
284 expected->master_secret_count)
285 || !TEST_size_t_eq(client_early_secret_count,
286 expected->client_early_secret_count)
287 || !TEST_size_t_eq(client_handshake_secret_count,
288 expected->client_handshake_secret_count)
289 || !TEST_size_t_eq(server_handshake_secret_count,
290 expected->server_handshake_secret_count)
291 || !TEST_size_t_eq(client_application_secret_count,
292 expected->client_application_secret_count)
293 || !TEST_size_t_eq(server_application_secret_count,
294 expected->server_application_secret_count)
295 || !TEST_size_t_eq(early_exporter_secret_count,
296 expected->early_exporter_secret_count)
297 || !TEST_size_t_eq(exporter_secret_count,
298 expected->exporter_secret_count))
303 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
304 static int test_keylog(void)
306 SSL_CTX *cctx = NULL, *sctx = NULL;
307 SSL *clientssl = NULL, *serverssl = NULL;
309 struct sslapitest_log_counts expected;
311 /* Clean up logging space */
312 memset(&expected, 0, sizeof(expected));
313 memset(client_log_buffer, 0, sizeof(client_log_buffer));
314 memset(server_log_buffer, 0, sizeof(server_log_buffer));
315 client_log_buffer_index = 0;
316 server_log_buffer_index = 0;
317 error_writing_log = 0;
319 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
322 &sctx, &cctx, cert, privkey)))
325 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
326 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
327 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
329 /* We also want to ensure that we use RSA-based key exchange. */
330 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
333 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
334 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
336 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
337 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
338 == client_keylog_callback))
340 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
341 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
342 == server_keylog_callback))
345 /* Now do a handshake and check that the logs have been written to. */
346 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
347 &clientssl, NULL, NULL))
348 || !TEST_true(create_ssl_connection(serverssl, clientssl,
350 || !TEST_false(error_writing_log)
351 || !TEST_int_gt(client_log_buffer_index, 0)
352 || !TEST_int_gt(server_log_buffer_index, 0))
356 * Now we want to test that our output data was vaguely sensible. We
357 * do that by using strtok and confirming that we have more or less the
358 * data we expect. For both client and server, we expect to see one master
359 * secret. The client should also see a RSA key exchange.
361 expected.rsa_key_exchange_count = 1;
362 expected.master_secret_count = 1;
363 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
364 SSL_get_session(clientssl), &expected)))
367 expected.rsa_key_exchange_count = 0;
368 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
369 SSL_get_session(serverssl), &expected)))
384 #ifndef OPENSSL_NO_TLS1_3
385 static int test_keylog_no_master_key(void)
387 SSL_CTX *cctx = NULL, *sctx = NULL;
388 SSL *clientssl = NULL, *serverssl = NULL;
389 SSL_SESSION *sess = NULL;
391 struct sslapitest_log_counts expected;
392 unsigned char buf[1];
393 size_t readbytes, written;
395 /* Clean up logging space */
396 memset(&expected, 0, sizeof(expected));
397 memset(client_log_buffer, 0, sizeof(client_log_buffer));
398 memset(server_log_buffer, 0, sizeof(server_log_buffer));
399 client_log_buffer_index = 0;
400 server_log_buffer_index = 0;
401 error_writing_log = 0;
403 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
405 &sctx, &cctx, cert, privkey))
406 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
407 SSL3_RT_MAX_PLAIN_LENGTH)))
410 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
411 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
414 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
415 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
416 == client_keylog_callback))
419 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
420 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
421 == server_keylog_callback))
424 /* Now do a handshake and check that the logs have been written to. */
425 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
426 &clientssl, NULL, NULL))
427 || !TEST_true(create_ssl_connection(serverssl, clientssl,
429 || !TEST_false(error_writing_log))
433 * Now we want to test that our output data was vaguely sensible. For this
434 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
435 * TLSv1.3, but we do expect both client and server to emit keys.
437 expected.client_handshake_secret_count = 1;
438 expected.server_handshake_secret_count = 1;
439 expected.client_application_secret_count = 1;
440 expected.server_application_secret_count = 1;
441 expected.exporter_secret_count = 1;
442 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
443 SSL_get_session(clientssl), &expected))
444 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
445 SSL_get_session(serverssl),
449 /* Terminate old session and resume with early data. */
450 sess = SSL_get1_session(clientssl);
451 SSL_shutdown(clientssl);
452 SSL_shutdown(serverssl);
455 serverssl = clientssl = NULL;
458 memset(client_log_buffer, 0, sizeof(client_log_buffer));
459 memset(server_log_buffer, 0, sizeof(server_log_buffer));
460 client_log_buffer_index = 0;
461 server_log_buffer_index = 0;
463 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
464 &clientssl, NULL, NULL))
465 || !TEST_true(SSL_set_session(clientssl, sess))
466 /* Here writing 0 length early data is enough. */
467 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
468 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
470 SSL_READ_EARLY_DATA_ERROR)
471 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
472 SSL_EARLY_DATA_ACCEPTED)
473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
475 || !TEST_true(SSL_session_reused(clientssl)))
478 /* In addition to the previous entries, expect early secrets. */
479 expected.client_early_secret_count = 1;
480 expected.early_exporter_secret_count = 1;
481 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
482 SSL_get_session(clientssl), &expected))
483 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
484 SSL_get_session(serverssl),
491 SSL_SESSION_free(sess);
501 #ifndef OPENSSL_NO_TLS1_2
502 static int full_client_hello_callback(SSL *s, int *al, void *arg)
505 const unsigned char *p;
507 /* We only configure two ciphers, but the SCSV is added automatically. */
509 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
511 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
514 const int expected_extensions[] = {
515 #ifndef OPENSSL_NO_EC
521 /* Make sure we can defer processing and get called back. */
523 return SSL_CLIENT_HELLO_RETRY;
525 len = SSL_client_hello_get0_ciphers(s, &p);
526 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
528 SSL_client_hello_get0_compression_methods(s, &p), 1)
529 || !TEST_int_eq(*p, 0))
530 return SSL_CLIENT_HELLO_ERROR;
531 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
532 return SSL_CLIENT_HELLO_ERROR;
533 if (len != OSSL_NELEM(expected_extensions) ||
534 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
535 printf("ClientHello callback expected extensions mismatch\n");
537 return SSL_CLIENT_HELLO_ERROR;
540 return SSL_CLIENT_HELLO_SUCCESS;
543 static int test_client_hello_cb(void)
545 SSL_CTX *cctx = NULL, *sctx = NULL;
546 SSL *clientssl = NULL, *serverssl = NULL;
547 int testctr = 0, testresult = 0;
549 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
551 &sctx, &cctx, cert, privkey)))
553 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
555 /* The gimpy cipher list we configure can't do TLS 1.3. */
556 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
558 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
559 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
560 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
561 &clientssl, NULL, NULL))
562 || !TEST_false(create_ssl_connection(serverssl, clientssl,
563 SSL_ERROR_WANT_CLIENT_HELLO_CB))
565 * Passing a -1 literal is a hack since
566 * the real value was lost.
568 || !TEST_int_eq(SSL_get_error(serverssl, -1),
569 SSL_ERROR_WANT_CLIENT_HELLO_CB)
570 || !TEST_true(create_ssl_connection(serverssl, clientssl,
585 static int test_no_ems(void)
587 SSL_CTX *cctx = NULL, *sctx = NULL;
588 SSL *clientssl = NULL, *serverssl = NULL;
591 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
592 TLS1_VERSION, TLS1_2_VERSION,
593 &sctx, &cctx, cert, privkey)) {
594 printf("Unable to create SSL_CTX pair\n");
598 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
600 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
601 printf("Unable to create SSL objects\n");
605 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
606 printf("Creating SSL connection failed\n");
610 if (SSL_get_extms_support(serverssl)) {
611 printf("Server reports Extended Master Secret support\n");
615 if (SSL_get_extms_support(clientssl)) {
616 printf("Client reports Extended Master Secret support\n");
631 static int execute_test_large_message(const SSL_METHOD *smeth,
632 const SSL_METHOD *cmeth,
633 int min_version, int max_version,
636 SSL_CTX *cctx = NULL, *sctx = NULL;
637 SSL *clientssl = NULL, *serverssl = NULL;
641 X509 *chaincert = NULL;
644 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
646 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
649 if (!TEST_ptr(chaincert))
652 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
653 &sctx, &cctx, cert, privkey)))
658 * Test that read_ahead works correctly when dealing with large
661 SSL_CTX_set_read_ahead(cctx, 1);
665 * We assume the supplied certificate is big enough so that if we add
666 * NUM_EXTRA_CERTS it will make the overall message large enough. The
667 * default buffer size is requested to be 16k, but due to the way BUF_MEM
668 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
669 * test we need to have a message larger than that.
671 certlen = i2d_X509(chaincert, NULL);
672 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
673 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
674 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
675 if (!X509_up_ref(chaincert))
677 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
678 X509_free(chaincert);
683 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
685 || !TEST_true(create_ssl_connection(serverssl, clientssl,
690 * Calling SSL_clear() first is not required but this tests that SSL_clear()
691 * doesn't leak (when using enable-crypto-mdebug).
693 if (!TEST_true(SSL_clear(serverssl)))
698 X509_free(chaincert);
707 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
708 && !defined(OPENSSL_NO_SOCK)
710 /* sock must be connected */
711 static int ktls_chk_platform(int sock)
713 if (!ktls_enable(sock))
718 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
720 static char count = 1;
721 unsigned char cbuf[16000] = {0};
722 unsigned char sbuf[16000];
724 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
725 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
726 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
727 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
728 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
729 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
732 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
733 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
734 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
735 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
736 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
737 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
739 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
742 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
743 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
748 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
751 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
752 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
757 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
758 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
759 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
760 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
761 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
762 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
764 /* verify the payload */
765 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
768 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
769 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
770 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
771 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
774 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
775 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
779 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
780 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
781 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
784 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
785 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
789 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
790 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
798 static int execute_test_ktls(int cis_ktls_tx, int sis_ktls_tx)
800 SSL_CTX *cctx = NULL, *sctx = NULL;
801 SSL *clientssl = NULL, *serverssl = NULL;
805 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
808 /* Skip this test if the platform does not support ktls */
809 if (!ktls_chk_platform(cfd))
812 /* Create a session based on SHA-256 */
813 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
815 TLS1_2_VERSION, TLS1_2_VERSION,
816 &sctx, &cctx, cert, privkey))
817 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
818 "AES128-GCM-SHA256"))
819 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
820 &clientssl, sfd, cfd)))
824 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
829 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
833 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
838 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
841 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
846 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
849 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
853 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
859 SSL_shutdown(clientssl);
863 SSL_shutdown(serverssl);
868 serverssl = clientssl = NULL;
872 static int test_ktls_client_server(void)
874 return execute_test_ktls(1, 1);
877 static int test_ktls_no_client_server(void)
879 return execute_test_ktls(0, 1);
882 static int test_ktls_client_no_server(void)
884 return execute_test_ktls(1, 0);
887 static int test_ktls_no_client_no_server(void)
889 return execute_test_ktls(0, 0);
894 static int test_large_message_tls(void)
896 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
900 static int test_large_message_tls_read_ahead(void)
902 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
906 #ifndef OPENSSL_NO_DTLS
907 static int test_large_message_dtls(void)
910 * read_ahead is not relevant to DTLS because DTLS always acts as if
913 return execute_test_large_message(DTLS_server_method(),
914 DTLS_client_method(),
915 DTLS1_VERSION, 0, 0);
919 #ifndef OPENSSL_NO_OCSP
920 static int ocsp_server_cb(SSL *s, void *arg)
922 int *argi = (int *)arg;
923 unsigned char *copy = NULL;
924 STACK_OF(OCSP_RESPID) *ids = NULL;
925 OCSP_RESPID *id = NULL;
928 /* In this test we are expecting exactly 1 OCSP_RESPID */
929 SSL_get_tlsext_status_ids(s, &ids);
930 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
931 return SSL_TLSEXT_ERR_ALERT_FATAL;
933 id = sk_OCSP_RESPID_value(ids, 0);
934 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
935 return SSL_TLSEXT_ERR_ALERT_FATAL;
936 } else if (*argi != 1) {
937 return SSL_TLSEXT_ERR_ALERT_FATAL;
940 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
941 return SSL_TLSEXT_ERR_ALERT_FATAL;
943 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
944 ocsp_server_called = 1;
945 return SSL_TLSEXT_ERR_OK;
948 static int ocsp_client_cb(SSL *s, void *arg)
950 int *argi = (int *)arg;
951 const unsigned char *respderin;
954 if (*argi != 1 && *argi != 2)
957 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
958 if (!TEST_mem_eq(orespder, len, respderin, len))
961 ocsp_client_called = 1;
965 static int test_tlsext_status_type(void)
967 SSL_CTX *cctx = NULL, *sctx = NULL;
968 SSL *clientssl = NULL, *serverssl = NULL;
970 STACK_OF(OCSP_RESPID) *ids = NULL;
971 OCSP_RESPID *id = NULL;
974 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
976 &sctx, &cctx, cert, privkey))
979 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
982 /* First just do various checks getting and setting tlsext_status_type */
984 clientssl = SSL_new(cctx);
985 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
986 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
987 TLSEXT_STATUSTYPE_ocsp))
988 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
989 TLSEXT_STATUSTYPE_ocsp))
995 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
996 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
999 clientssl = SSL_new(cctx);
1000 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1002 SSL_free(clientssl);
1006 * Now actually do a handshake and check OCSP information is exchanged and
1007 * the callbacks get called
1009 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1010 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1011 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1012 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1013 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1014 &clientssl, NULL, NULL))
1015 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1017 || !TEST_true(ocsp_client_called)
1018 || !TEST_true(ocsp_server_called))
1020 SSL_free(serverssl);
1021 SSL_free(clientssl);
1025 /* Try again but this time force the server side callback to fail */
1026 ocsp_client_called = 0;
1027 ocsp_server_called = 0;
1029 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1030 &clientssl, NULL, NULL))
1031 /* This should fail because the callback will fail */
1032 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1034 || !TEST_false(ocsp_client_called)
1035 || !TEST_false(ocsp_server_called))
1037 SSL_free(serverssl);
1038 SSL_free(clientssl);
1043 * This time we'll get the client to send an OCSP_RESPID that it will
1046 ocsp_client_called = 0;
1047 ocsp_server_called = 0;
1049 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1050 &clientssl, NULL, NULL)))
1054 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1055 * specific one. We'll use the server cert.
1057 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1058 || !TEST_ptr(id = OCSP_RESPID_new())
1059 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1060 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1062 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1063 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1066 SSL_set_tlsext_status_ids(clientssl, ids);
1067 /* Control has been transferred */
1073 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1075 || !TEST_true(ocsp_client_called)
1076 || !TEST_true(ocsp_server_called))
1082 SSL_free(serverssl);
1083 SSL_free(clientssl);
1086 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1087 OCSP_RESPID_free(id);
1089 X509_free(ocspcert);
1096 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1097 static int new_called, remove_called, get_called;
1099 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1103 * sess has been up-refed for us, but we don't actually need it so free it
1106 SSL_SESSION_free(sess);
1110 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1115 static SSL_SESSION *get_sess_val = NULL;
1117 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1122 return get_sess_val;
1125 static int execute_test_session(int maxprot, int use_int_cache,
1128 SSL_CTX *sctx = NULL, *cctx = NULL;
1129 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1130 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1131 # ifndef OPENSSL_NO_TLS1_1
1132 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1134 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1135 int testresult = 0, numnewsesstick = 1;
1137 new_called = remove_called = 0;
1139 /* TLSv1.3 sends 2 NewSessionTickets */
1140 if (maxprot == TLS1_3_VERSION)
1143 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1145 &sctx, &cctx, cert, privkey)))
1149 * Only allow the max protocol version so we can force a connection failure
1152 SSL_CTX_set_min_proto_version(cctx, maxprot);
1153 SSL_CTX_set_max_proto_version(cctx, maxprot);
1155 /* Set up session cache */
1156 if (use_ext_cache) {
1157 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1158 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1160 if (use_int_cache) {
1161 /* Also covers instance where both are set */
1162 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1164 SSL_CTX_set_session_cache_mode(cctx,
1165 SSL_SESS_CACHE_CLIENT
1166 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1169 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1171 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1173 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1176 /* Should fail because it should already be in the cache */
1177 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1180 && (!TEST_int_eq(new_called, numnewsesstick)
1182 || !TEST_int_eq(remove_called, 0)))
1185 new_called = remove_called = 0;
1186 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1187 &clientssl2, NULL, NULL))
1188 || !TEST_true(SSL_set_session(clientssl2, sess1))
1189 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1191 || !TEST_true(SSL_session_reused(clientssl2)))
1194 if (maxprot == TLS1_3_VERSION) {
1196 * In TLSv1.3 we should have created a new session even though we have
1197 * resumed. Since we attempted a resume we should also have removed the
1198 * old ticket from the cache so that we try to only use tickets once.
1201 && (!TEST_int_eq(new_called, 1)
1202 || !TEST_int_eq(remove_called, 1)))
1206 * In TLSv1.2 we expect to have resumed so no sessions added or
1210 && (!TEST_int_eq(new_called, 0)
1211 || !TEST_int_eq(remove_called, 0)))
1215 SSL_SESSION_free(sess1);
1216 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1218 shutdown_ssl_connection(serverssl2, clientssl2);
1219 serverssl2 = clientssl2 = NULL;
1221 new_called = remove_called = 0;
1222 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1223 &clientssl2, NULL, NULL))
1224 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1228 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1232 && (!TEST_int_eq(new_called, numnewsesstick)
1233 || !TEST_int_eq(remove_called, 0)))
1236 new_called = remove_called = 0;
1238 * This should clear sess2 from the cache because it is a "bad" session.
1239 * See SSL_set_session() documentation.
1241 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1244 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1246 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1249 if (use_int_cache) {
1250 /* Should succeeded because it should not already be in the cache */
1251 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1252 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1256 new_called = remove_called = 0;
1257 /* This shouldn't be in the cache so should fail */
1258 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1262 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1265 # if !defined(OPENSSL_NO_TLS1_1)
1266 new_called = remove_called = 0;
1267 /* Force a connection failure */
1268 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1269 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1270 &clientssl3, NULL, NULL))
1271 || !TEST_true(SSL_set_session(clientssl3, sess1))
1272 /* This should fail because of the mismatched protocol versions */
1273 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1277 /* We should have automatically removed the session from the cache */
1279 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1282 /* Should succeed because it should not already be in the cache */
1283 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1287 /* Now do some tests for server side caching */
1288 if (use_ext_cache) {
1289 SSL_CTX_sess_set_new_cb(cctx, NULL);
1290 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1291 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1292 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1293 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1294 get_sess_val = NULL;
1297 SSL_CTX_set_session_cache_mode(cctx, 0);
1298 /* Internal caching is the default on the server side */
1300 SSL_CTX_set_session_cache_mode(sctx,
1301 SSL_SESS_CACHE_SERVER
1302 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1304 SSL_free(serverssl1);
1305 SSL_free(clientssl1);
1306 serverssl1 = clientssl1 = NULL;
1307 SSL_free(serverssl2);
1308 SSL_free(clientssl2);
1309 serverssl2 = clientssl2 = NULL;
1310 SSL_SESSION_free(sess1);
1312 SSL_SESSION_free(sess2);
1315 SSL_CTX_set_max_proto_version(sctx, maxprot);
1316 if (maxprot == TLS1_2_VERSION)
1317 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1318 new_called = remove_called = get_called = 0;
1319 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1321 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1323 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1324 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1327 if (use_int_cache) {
1328 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1330 * In TLSv1.3 it should not have been added to the internal cache,
1331 * except in the case where we also have an external cache (in that
1332 * case it gets added to the cache in order to generate remove
1333 * events after timeout).
1335 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1338 /* Should fail because it should already be in the cache */
1339 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1344 if (use_ext_cache) {
1345 SSL_SESSION *tmp = sess2;
1347 if (!TEST_int_eq(new_called, numnewsesstick)
1348 || !TEST_int_eq(remove_called, 0)
1349 || !TEST_int_eq(get_called, 0))
1352 * Delete the session from the internal cache to force a lookup from
1353 * the external cache. We take a copy first because
1354 * SSL_CTX_remove_session() also marks the session as non-resumable.
1356 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1357 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1358 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1360 SSL_SESSION_free(sess2);
1365 new_called = remove_called = get_called = 0;
1366 get_sess_val = sess2;
1367 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1368 &clientssl2, NULL, NULL))
1369 || !TEST_true(SSL_set_session(clientssl2, sess1))
1370 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1372 || !TEST_true(SSL_session_reused(clientssl2)))
1375 if (use_ext_cache) {
1376 if (!TEST_int_eq(remove_called, 0))
1379 if (maxprot == TLS1_3_VERSION) {
1380 if (!TEST_int_eq(new_called, 1)
1381 || !TEST_int_eq(get_called, 0))
1384 if (!TEST_int_eq(new_called, 0)
1385 || !TEST_int_eq(get_called, 1))
1393 SSL_free(serverssl1);
1394 SSL_free(clientssl1);
1395 SSL_free(serverssl2);
1396 SSL_free(clientssl2);
1397 # ifndef OPENSSL_NO_TLS1_1
1398 SSL_free(serverssl3);
1399 SSL_free(clientssl3);
1401 SSL_SESSION_free(sess1);
1402 SSL_SESSION_free(sess2);
1408 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1410 static int test_session_with_only_int_cache(void)
1412 #ifndef OPENSSL_NO_TLS1_3
1413 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1417 #ifndef OPENSSL_NO_TLS1_2
1418 return execute_test_session(TLS1_2_VERSION, 1, 0);
1424 static int test_session_with_only_ext_cache(void)
1426 #ifndef OPENSSL_NO_TLS1_3
1427 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1431 #ifndef OPENSSL_NO_TLS1_2
1432 return execute_test_session(TLS1_2_VERSION, 0, 1);
1438 static int test_session_with_both_cache(void)
1440 #ifndef OPENSSL_NO_TLS1_3
1441 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1445 #ifndef OPENSSL_NO_TLS1_2
1446 return execute_test_session(TLS1_2_VERSION, 1, 1);
1452 #ifndef OPENSSL_NO_TLS1_3
1453 static SSL_SESSION *sesscache[6];
1454 static int do_cache;
1456 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1459 sesscache[new_called] = sess;
1461 /* We don't need the reference to the session, so free it */
1462 SSL_SESSION_free(sess);
1469 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1471 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1472 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1475 /* Start handshake on the server and client */
1476 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1477 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1478 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1479 || !TEST_true(create_ssl_connection(sssl, cssl,
1486 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1489 int sess_id_ctx = 1;
1491 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1492 TLS1_VERSION, 0, sctx,
1493 cctx, cert, privkey))
1494 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1495 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1496 (void *)&sess_id_ctx,
1497 sizeof(sess_id_ctx))))
1501 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1503 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1504 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1505 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1510 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1512 SSL *serverssl = NULL, *clientssl = NULL;
1515 /* Test that we can resume with all the tickets we got given */
1516 for (i = 0; i < idx * 2; i++) {
1518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1519 &clientssl, NULL, NULL))
1520 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1523 SSL_set_post_handshake_auth(clientssl, 1);
1525 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1530 * Following a successful resumption we only get 1 ticket. After a
1531 * failed one we should get idx tickets.
1534 if (!TEST_true(SSL_session_reused(clientssl))
1535 || !TEST_int_eq(new_called, 1))
1538 if (!TEST_false(SSL_session_reused(clientssl))
1539 || !TEST_int_eq(new_called, idx))
1544 /* After a post-handshake authentication we should get 1 new ticket */
1546 && (!post_handshake_verify(serverssl, clientssl)
1547 || !TEST_int_eq(new_called, 1)))
1550 SSL_shutdown(clientssl);
1551 SSL_shutdown(serverssl);
1552 SSL_free(serverssl);
1553 SSL_free(clientssl);
1554 serverssl = clientssl = NULL;
1555 SSL_SESSION_free(sesscache[i]);
1556 sesscache[i] = NULL;
1562 SSL_free(clientssl);
1563 SSL_free(serverssl);
1567 static int test_tickets(int stateful, int idx)
1569 SSL_CTX *sctx = NULL, *cctx = NULL;
1570 SSL *serverssl = NULL, *clientssl = NULL;
1574 /* idx is the test number, but also the number of tickets we want */
1579 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1582 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1583 &clientssl, NULL, NULL)))
1586 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1588 /* Check we got the number of tickets we were expecting */
1589 || !TEST_int_eq(idx, new_called))
1592 SSL_shutdown(clientssl);
1593 SSL_shutdown(serverssl);
1594 SSL_free(serverssl);
1595 SSL_free(clientssl);
1598 clientssl = serverssl = NULL;
1602 * Now we try to resume with the tickets we previously created. The
1603 * resumption attempt is expected to fail (because we're now using a new
1604 * SSL_CTX). We should see idx number of tickets issued again.
1607 /* Stop caching sessions - just count them */
1610 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1613 if (!check_resumption(idx, sctx, cctx, 0))
1616 /* Start again with caching sessions */
1623 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1626 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1627 &clientssl, NULL, NULL)))
1630 SSL_set_post_handshake_auth(clientssl, 1);
1632 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1634 /* Check we got the number of tickets we were expecting */
1635 || !TEST_int_eq(idx, new_called))
1638 /* After a post-handshake authentication we should get new tickets issued */
1639 if (!post_handshake_verify(serverssl, clientssl)
1640 || !TEST_int_eq(idx * 2, new_called))
1643 SSL_shutdown(clientssl);
1644 SSL_shutdown(serverssl);
1645 SSL_free(serverssl);
1646 SSL_free(clientssl);
1647 serverssl = clientssl = NULL;
1649 /* Stop caching sessions - just count them */
1653 * Check we can resume with all the tickets we created. This time around the
1654 * resumptions should all be successful.
1656 if (!check_resumption(idx, sctx, cctx, 1))
1662 SSL_free(serverssl);
1663 SSL_free(clientssl);
1664 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1665 SSL_SESSION_free(sesscache[j]);
1666 sesscache[j] = NULL;
1674 static int test_stateless_tickets(int idx)
1676 return test_tickets(0, idx);
1679 static int test_stateful_tickets(int idx)
1681 return test_tickets(1, idx);
1684 static int test_psk_tickets(void)
1686 SSL_CTX *sctx = NULL, *cctx = NULL;
1687 SSL *serverssl = NULL, *clientssl = NULL;
1689 int sess_id_ctx = 1;
1691 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1692 TLS1_VERSION, 0, &sctx,
1694 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1695 (void *)&sess_id_ctx,
1696 sizeof(sess_id_ctx))))
1699 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1700 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1701 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1702 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1703 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1704 use_session_cb_cnt = 0;
1705 find_session_cb_cnt = 0;
1709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1712 clientpsk = serverpsk = create_a_psk(clientssl);
1713 if (!TEST_ptr(clientpsk))
1715 SSL_SESSION_up_ref(clientpsk);
1717 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1719 || !TEST_int_eq(1, find_session_cb_cnt)
1720 || !TEST_int_eq(1, use_session_cb_cnt)
1721 /* We should always get 1 ticket when using external PSK */
1722 || !TEST_int_eq(1, new_called))
1728 SSL_free(serverssl);
1729 SSL_free(clientssl);
1732 SSL_SESSION_free(clientpsk);
1733 SSL_SESSION_free(serverpsk);
1734 clientpsk = serverpsk = NULL;
1743 #define USE_DEFAULT 3
1745 #define CONNTYPE_CONNECTION_SUCCESS 0
1746 #define CONNTYPE_CONNECTION_FAIL 1
1747 #define CONNTYPE_NO_CONNECTION 2
1749 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1750 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1751 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1752 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1754 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1757 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1758 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1759 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1761 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1778 * Tests calls to SSL_set_bio() under various conditions.
1780 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1781 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1782 * then do more tests where we create a successful connection first using our
1783 * standard connection setup functions, and then call SSL_set_bio() with
1784 * various combinations of valid BIOs or NULL. We then repeat these tests
1785 * following a failed connection. In this last case we are looking to check that
1786 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1788 static int test_ssl_set_bio(int idx)
1790 SSL_CTX *sctx = NULL, *cctx = NULL;
1793 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1794 SSL *serverssl = NULL, *clientssl = NULL;
1795 int initrbio, initwbio, newrbio, newwbio, conntype;
1798 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1806 conntype = CONNTYPE_NO_CONNECTION;
1808 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1809 initrbio = initwbio = USE_DEFAULT;
1817 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1819 &sctx, &cctx, cert, privkey)))
1822 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1824 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1825 * because we reduced the number of tests in the definition of
1826 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1827 * mismatched protocol versions we will force a connection failure.
1829 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1830 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1833 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1837 if (initrbio == USE_BIO_1
1838 || initwbio == USE_BIO_1
1839 || newrbio == USE_BIO_1
1840 || newwbio == USE_BIO_1) {
1841 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1845 if (initrbio == USE_BIO_2
1846 || initwbio == USE_BIO_2
1847 || newrbio == USE_BIO_2
1848 || newwbio == USE_BIO_2) {
1849 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1853 if (initrbio != USE_DEFAULT) {
1854 setupbio(&irbio, bio1, bio2, initrbio);
1855 setupbio(&iwbio, bio1, bio2, initwbio);
1856 SSL_set_bio(clientssl, irbio, iwbio);
1859 * We want to maintain our own refs to these BIO, so do an up ref for
1860 * each BIO that will have ownership transferred in the SSL_set_bio()
1865 if (iwbio != NULL && iwbio != irbio)
1869 if (conntype != CONNTYPE_NO_CONNECTION
1870 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1872 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1875 setupbio(&nrbio, bio1, bio2, newrbio);
1876 setupbio(&nwbio, bio1, bio2, newwbio);
1879 * We will (maybe) transfer ownership again so do more up refs.
1880 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1885 && (nwbio != iwbio || nrbio != nwbio))
1889 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1892 SSL_set_bio(clientssl, nrbio, nwbio);
1901 * This test is checking that the ref counting for SSL_set_bio is correct.
1902 * If we get here and we did too many frees then we will fail in the above
1903 * functions. If we haven't done enough then this will only be detected in
1904 * a crypto-mdebug build
1906 SSL_free(serverssl);
1907 SSL_free(clientssl);
1913 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1915 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1917 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1922 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1923 || !TEST_ptr(ssl = SSL_new(ctx))
1924 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1925 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1928 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1931 * If anything goes wrong here then we could leak memory, so this will
1932 * be caught in a crypto-mdebug build
1934 BIO_push(sslbio, membio1);
1936 /* Verify changing the rbio/wbio directly does not cause leaks */
1937 if (change_bio != NO_BIO_CHANGE) {
1938 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1940 if (change_bio == CHANGE_RBIO)
1941 SSL_set0_rbio(ssl, membio2);
1943 SSL_set0_wbio(ssl, membio2);
1962 static int test_ssl_bio_pop_next_bio(void)
1964 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1967 static int test_ssl_bio_pop_ssl_bio(void)
1969 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1972 static int test_ssl_bio_change_rbio(void)
1974 return execute_test_ssl_bio(0, CHANGE_RBIO);
1977 static int test_ssl_bio_change_wbio(void)
1979 return execute_test_ssl_bio(0, CHANGE_WBIO);
1982 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1984 /* The list of sig algs */
1986 /* The length of the list */
1988 /* A sigalgs list in string format */
1989 const char *liststr;
1990 /* Whether setting the list should succeed */
1992 /* Whether creating a connection with the list should succeed */
1996 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1997 # ifndef OPENSSL_NO_EC
1998 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1999 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2001 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2002 static const int invalidlist2[] = {NID_sha256, NID_undef};
2003 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2004 static const int invalidlist4[] = {NID_sha256};
2005 static const sigalgs_list testsigalgs[] = {
2006 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2007 # ifndef OPENSSL_NO_EC
2008 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2009 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2011 {NULL, 0, "RSA+SHA256", 1, 1},
2012 # ifndef OPENSSL_NO_EC
2013 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2014 {NULL, 0, "ECDSA+SHA512", 1, 0},
2016 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2017 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2018 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2019 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2020 {NULL, 0, "RSA", 0, 0},
2021 {NULL, 0, "SHA256", 0, 0},
2022 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2023 {NULL, 0, "Invalid", 0, 0}
2026 static int test_set_sigalgs(int idx)
2028 SSL_CTX *cctx = NULL, *sctx = NULL;
2029 SSL *clientssl = NULL, *serverssl = NULL;
2031 const sigalgs_list *curr;
2034 /* Should never happen */
2035 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2038 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2039 curr = testctx ? &testsigalgs[idx]
2040 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2042 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2044 &sctx, &cctx, cert, privkey)))
2048 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2049 * for TLSv1.2 for now until we add a new API.
2051 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2056 if (curr->list != NULL)
2057 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2059 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2063 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2069 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2074 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2075 &clientssl, NULL, NULL)))
2081 if (curr->list != NULL)
2082 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2084 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2087 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2096 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2104 SSL_free(serverssl);
2105 SSL_free(clientssl);
2113 #ifndef OPENSSL_NO_TLS1_3
2114 static int psk_client_cb_cnt = 0;
2115 static int psk_server_cb_cnt = 0;
2117 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2118 size_t *idlen, SSL_SESSION **sess)
2120 switch (++use_session_cb_cnt) {
2122 /* The first call should always have a NULL md */
2128 /* The second call should always have an md */
2134 /* We should only be called a maximum of twice */
2138 if (clientpsk != NULL)
2139 SSL_SESSION_up_ref(clientpsk);
2142 *id = (const unsigned char *)pskid;
2143 *idlen = strlen(pskid);
2148 #ifndef OPENSSL_NO_PSK
2149 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2150 unsigned int max_id_len,
2152 unsigned int max_psk_len)
2154 unsigned int psklen = 0;
2156 psk_client_cb_cnt++;
2158 if (strlen(pskid) + 1 > max_id_len)
2161 /* We should only ever be called a maximum of twice per connection */
2162 if (psk_client_cb_cnt > 2)
2165 if (clientpsk == NULL)
2168 /* We'll reuse the PSK we set up for TLSv1.3 */
2169 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2171 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2172 strncpy(id, pskid, max_id_len);
2176 #endif /* OPENSSL_NO_PSK */
2178 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2179 size_t identity_len, SSL_SESSION **sess)
2181 find_session_cb_cnt++;
2183 /* We should only ever be called a maximum of twice per connection */
2184 if (find_session_cb_cnt > 2)
2187 if (serverpsk == NULL)
2190 /* Identity should match that set by the client */
2191 if (strlen(srvid) != identity_len
2192 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2193 /* No PSK found, continue but without a PSK */
2198 SSL_SESSION_up_ref(serverpsk);
2204 #ifndef OPENSSL_NO_PSK
2205 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2206 unsigned char *psk, unsigned int max_psk_len)
2208 unsigned int psklen = 0;
2210 psk_server_cb_cnt++;
2212 /* We should only ever be called a maximum of twice per connection */
2213 if (find_session_cb_cnt > 2)
2216 if (serverpsk == NULL)
2219 /* Identity should match that set by the client */
2220 if (strcmp(srvid, identity) != 0) {
2224 /* We'll reuse the PSK we set up for TLSv1.3 */
2225 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2227 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2231 #endif /* OPENSSL_NO_PSK */
2233 #define MSG1 "Hello"
2234 #define MSG2 "World."
2239 #define MSG7 "message."
2241 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2242 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2245 static SSL_SESSION *create_a_psk(SSL *ssl)
2247 const SSL_CIPHER *cipher = NULL;
2248 const unsigned char key[] = {
2249 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2250 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2251 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2252 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2253 0x2c, 0x2d, 0x2e, 0x2f
2255 SSL_SESSION *sess = NULL;
2257 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2258 sess = SSL_SESSION_new();
2260 || !TEST_ptr(cipher)
2261 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2263 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2265 SSL_SESSION_set_protocol_version(sess,
2267 SSL_SESSION_free(sess);
2274 * Helper method to setup objects for early data test. Caller frees objects on
2277 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2278 SSL **serverssl, SSL_SESSION **sess, int idx)
2281 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2282 TLS_client_method(),
2284 sctx, cctx, cert, privkey)))
2287 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2291 /* When idx == 1 we repeat the tests with read_ahead set */
2292 SSL_CTX_set_read_ahead(*cctx, 1);
2293 SSL_CTX_set_read_ahead(*sctx, 1);
2294 } else if (idx == 2) {
2295 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2296 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2297 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2298 use_session_cb_cnt = 0;
2299 find_session_cb_cnt = 0;
2303 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2308 * For one of the run throughs (doesn't matter which one), we'll try sending
2309 * some SNI data in the initial ClientHello. This will be ignored (because
2310 * there is no SNI cb set up by the server), so it should not impact
2314 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2318 clientpsk = create_a_psk(*clientssl);
2319 if (!TEST_ptr(clientpsk)
2321 * We just choose an arbitrary value for max_early_data which
2322 * should be big enough for testing purposes.
2324 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2326 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2327 SSL_SESSION_free(clientpsk);
2331 serverpsk = clientpsk;
2334 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2335 SSL_SESSION_free(clientpsk);
2336 SSL_SESSION_free(serverpsk);
2337 clientpsk = serverpsk = NULL;
2348 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2352 *sess = SSL_get1_session(*clientssl);
2353 SSL_shutdown(*clientssl);
2354 SSL_shutdown(*serverssl);
2355 SSL_free(*serverssl);
2356 SSL_free(*clientssl);
2357 *serverssl = *clientssl = NULL;
2359 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2360 clientssl, NULL, NULL))
2361 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2367 static int test_early_data_read_write(int idx)
2369 SSL_CTX *cctx = NULL, *sctx = NULL;
2370 SSL *clientssl = NULL, *serverssl = NULL;
2372 SSL_SESSION *sess = NULL;
2373 unsigned char buf[20], data[1024];
2374 size_t readbytes, written, eoedlen, rawread, rawwritten;
2377 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2378 &serverssl, &sess, idx)))
2381 /* Write and read some early data */
2382 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2384 || !TEST_size_t_eq(written, strlen(MSG1))
2385 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2386 sizeof(buf), &readbytes),
2387 SSL_READ_EARLY_DATA_SUCCESS)
2388 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2389 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2390 SSL_EARLY_DATA_ACCEPTED))
2394 * Server should be able to write data, and client should be able to
2397 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2399 || !TEST_size_t_eq(written, strlen(MSG2))
2400 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2401 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2404 /* Even after reading normal data, client should be able write early data */
2405 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2407 || !TEST_size_t_eq(written, strlen(MSG3)))
2410 /* Server should still be able read early data after writing data */
2411 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2413 SSL_READ_EARLY_DATA_SUCCESS)
2414 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2417 /* Write more data from server and read it from client */
2418 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2420 || !TEST_size_t_eq(written, strlen(MSG4))
2421 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2422 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2426 * If client writes normal data it should mean writing early data is no
2429 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2430 || !TEST_size_t_eq(written, strlen(MSG5))
2431 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2432 SSL_EARLY_DATA_ACCEPTED))
2436 * At this point the client has written EndOfEarlyData, ClientFinished and
2437 * normal (fully protected) data. We are going to cause a delay between the
2438 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2439 * in the read BIO, and then just put back the EndOfEarlyData message.
2441 rbio = SSL_get_rbio(serverssl);
2442 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2443 || !TEST_size_t_lt(rawread, sizeof(data))
2444 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2447 /* Record length is in the 4th and 5th bytes of the record header */
2448 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2449 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2450 || !TEST_size_t_eq(rawwritten, eoedlen))
2453 /* Server should be told that there is no more early data */
2454 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2456 SSL_READ_EARLY_DATA_FINISH)
2457 || !TEST_size_t_eq(readbytes, 0))
2461 * Server has not finished init yet, so should still be able to write early
2464 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2466 || !TEST_size_t_eq(written, strlen(MSG6)))
2469 /* Push the ClientFinished and the normal data back into the server rbio */
2470 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2472 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2475 /* Server should be able to read normal data */
2476 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2477 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2480 /* Client and server should not be able to write/read early data now */
2481 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2485 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2487 SSL_READ_EARLY_DATA_ERROR))
2491 /* Client should be able to read the data sent by the server */
2492 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2493 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2497 * Make sure we process the two NewSessionTickets. These arrive
2498 * post-handshake. We attempt reads which we do not expect to return any
2501 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2502 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2506 /* Server should be able to write normal data */
2507 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2508 || !TEST_size_t_eq(written, strlen(MSG7))
2509 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2510 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2513 SSL_SESSION_free(sess);
2514 sess = SSL_get1_session(clientssl);
2515 use_session_cb_cnt = 0;
2516 find_session_cb_cnt = 0;
2518 SSL_shutdown(clientssl);
2519 SSL_shutdown(serverssl);
2520 SSL_free(serverssl);
2521 SSL_free(clientssl);
2522 serverssl = clientssl = NULL;
2523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2524 &clientssl, NULL, NULL))
2525 || !TEST_true(SSL_set_session(clientssl, sess)))
2528 /* Write and read some early data */
2529 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2531 || !TEST_size_t_eq(written, strlen(MSG1))
2532 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2534 SSL_READ_EARLY_DATA_SUCCESS)
2535 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2538 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2539 || !TEST_int_gt(SSL_accept(serverssl), 0))
2542 /* Client and server should not be able to write/read early data now */
2543 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2547 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2549 SSL_READ_EARLY_DATA_ERROR))
2553 /* Client and server should be able to write/read normal data */
2554 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2555 || !TEST_size_t_eq(written, strlen(MSG5))
2556 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2557 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2563 SSL_SESSION_free(sess);
2564 SSL_SESSION_free(clientpsk);
2565 SSL_SESSION_free(serverpsk);
2566 clientpsk = serverpsk = NULL;
2567 SSL_free(serverssl);
2568 SSL_free(clientssl);
2574 static int allow_ed_cb_called = 0;
2576 static int allow_early_data_cb(SSL *s, void *arg)
2578 int *usecb = (int *)arg;
2580 allow_ed_cb_called++;
2589 * idx == 0: Standard early_data setup
2590 * idx == 1: early_data setup using read_ahead
2591 * usecb == 0: Don't use a custom early data callback
2592 * usecb == 1: Use a custom early data callback and reject the early data
2593 * usecb == 2: Use a custom early data callback and accept the early data
2594 * confopt == 0: Configure anti-replay directly
2595 * confopt == 1: Configure anti-replay using SSL_CONF
2597 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2599 SSL_CTX *cctx = NULL, *sctx = NULL;
2600 SSL *clientssl = NULL, *serverssl = NULL;
2602 SSL_SESSION *sess = NULL;
2603 size_t readbytes, written;
2604 unsigned char buf[20];
2606 allow_ed_cb_called = 0;
2608 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2609 TLS1_VERSION, 0, &sctx,
2610 &cctx, cert, privkey)))
2615 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2617 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2619 if (!TEST_ptr(confctx))
2621 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2622 | SSL_CONF_FLAG_SERVER);
2623 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2624 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2626 SSL_CONF_CTX_free(confctx);
2629 SSL_CONF_CTX_free(confctx);
2631 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2634 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2635 &serverssl, &sess, idx)))
2639 * The server is configured to accept early data. Create a connection to
2640 * "use up" the ticket
2642 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2643 || !TEST_true(SSL_session_reused(clientssl)))
2646 SSL_shutdown(clientssl);
2647 SSL_shutdown(serverssl);
2648 SSL_free(serverssl);
2649 SSL_free(clientssl);
2650 serverssl = clientssl = NULL;
2652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2653 &clientssl, NULL, NULL))
2654 || !TEST_true(SSL_set_session(clientssl, sess)))
2657 /* Write and read some early data */
2658 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2660 || !TEST_size_t_eq(written, strlen(MSG1)))
2664 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2666 SSL_READ_EARLY_DATA_FINISH)
2668 * The ticket was reused, so the we should have rejected the
2671 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2672 SSL_EARLY_DATA_REJECTED))
2675 /* In this case the callback decides to accept the early data */
2676 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2678 SSL_READ_EARLY_DATA_SUCCESS)
2679 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2681 * Server will have sent its flight so client can now send
2682 * end of early data and complete its half of the handshake
2684 || !TEST_int_gt(SSL_connect(clientssl), 0)
2685 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2687 SSL_READ_EARLY_DATA_FINISH)
2688 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2689 SSL_EARLY_DATA_ACCEPTED))
2693 /* Complete the connection */
2694 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2695 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2696 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2702 SSL_SESSION_free(sess);
2703 SSL_SESSION_free(clientpsk);
2704 SSL_SESSION_free(serverpsk);
2705 clientpsk = serverpsk = NULL;
2706 SSL_free(serverssl);
2707 SSL_free(clientssl);
2713 static int test_early_data_replay(int idx)
2715 int ret = 1, usecb, confopt;
2717 for (usecb = 0; usecb < 3; usecb++) {
2718 for (confopt = 0; confopt < 2; confopt++)
2719 ret &= test_early_data_replay_int(idx, usecb, confopt);
2726 * Helper function to test that a server attempting to read early data can
2727 * handle a connection from a client where the early data should be skipped.
2728 * testtype: 0 == No HRR
2729 * testtype: 1 == HRR
2730 * testtype: 2 == HRR, invalid early_data sent after HRR
2731 * testtype: 3 == recv_max_early_data set to 0
2733 static int early_data_skip_helper(int testtype, int idx)
2735 SSL_CTX *cctx = NULL, *sctx = NULL;
2736 SSL *clientssl = NULL, *serverssl = NULL;
2738 SSL_SESSION *sess = NULL;
2739 unsigned char buf[20];
2740 size_t readbytes, written;
2742 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2743 &serverssl, &sess, idx)))
2746 if (testtype == 1 || testtype == 2) {
2747 /* Force an HRR to occur */
2748 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2750 } else if (idx == 2) {
2752 * We force early_data rejection by ensuring the PSK identity is
2755 srvid = "Dummy Identity";
2758 * Deliberately corrupt the creation time. We take 20 seconds off the
2759 * time. It could be any value as long as it is not within tolerance.
2760 * This should mean the ticket is rejected.
2762 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2767 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2770 /* Write some early data */
2771 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2773 || !TEST_size_t_eq(written, strlen(MSG1)))
2776 /* Server should reject the early data */
2777 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2779 SSL_READ_EARLY_DATA_FINISH)
2780 || !TEST_size_t_eq(readbytes, 0)
2781 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2782 SSL_EARLY_DATA_REJECTED))
2792 * Finish off the handshake. We perform the same writes and reads as
2793 * further down but we expect them to fail due to the incomplete
2796 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2797 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2804 BIO *wbio = SSL_get_wbio(clientssl);
2805 /* A record that will appear as bad early_data */
2806 const unsigned char bad_early_data[] = {
2807 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2811 * We force the client to attempt a write. This will fail because
2812 * we're still in the handshake. It will cause the second
2813 * ClientHello to be sent.
2815 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2820 * Inject some early_data after the second ClientHello. This should
2821 * cause the server to fail
2823 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2824 sizeof(bad_early_data), &written)))
2831 * This client has sent more early_data than we are willing to skip
2832 * (case 3) or sent invalid early_data (case 2) so the connection should
2835 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2836 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2839 /* Connection has failed - nothing more to do */
2844 TEST_error("Invalid test type");
2849 * Should be able to send normal data despite rejection of early data. The
2850 * early_data should be skipped.
2852 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2853 || !TEST_size_t_eq(written, strlen(MSG2))
2854 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2855 SSL_EARLY_DATA_REJECTED)
2856 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2857 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2863 SSL_SESSION_free(clientpsk);
2864 SSL_SESSION_free(serverpsk);
2865 clientpsk = serverpsk = NULL;
2866 SSL_SESSION_free(sess);
2867 SSL_free(serverssl);
2868 SSL_free(clientssl);
2875 * Test that a server attempting to read early data can handle a connection
2876 * from a client where the early data is not acceptable.
2878 static int test_early_data_skip(int idx)
2880 return early_data_skip_helper(0, idx);
2884 * Test that a server attempting to read early data can handle a connection
2885 * from a client where an HRR occurs.
2887 static int test_early_data_skip_hrr(int idx)
2889 return early_data_skip_helper(1, idx);
2893 * Test that a server attempting to read early data can handle a connection
2894 * from a client where an HRR occurs and correctly fails if early_data is sent
2897 static int test_early_data_skip_hrr_fail(int idx)
2899 return early_data_skip_helper(2, idx);
2903 * Test that a server attempting to read early data will abort if it tries to
2904 * skip over too much.
2906 static int test_early_data_skip_abort(int idx)
2908 return early_data_skip_helper(3, idx);
2912 * Test that a server attempting to read early data can handle a connection
2913 * from a client that doesn't send any.
2915 static int test_early_data_not_sent(int idx)
2917 SSL_CTX *cctx = NULL, *sctx = NULL;
2918 SSL *clientssl = NULL, *serverssl = NULL;
2920 SSL_SESSION *sess = NULL;
2921 unsigned char buf[20];
2922 size_t readbytes, written;
2924 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2925 &serverssl, &sess, idx)))
2928 /* Write some data - should block due to handshake with server */
2929 SSL_set_connect_state(clientssl);
2930 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2933 /* Server should detect that early data has not been sent */
2934 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2936 SSL_READ_EARLY_DATA_FINISH)
2937 || !TEST_size_t_eq(readbytes, 0)
2938 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2939 SSL_EARLY_DATA_NOT_SENT)
2940 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2941 SSL_EARLY_DATA_NOT_SENT))
2944 /* Continue writing the message we started earlier */
2945 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2946 || !TEST_size_t_eq(written, strlen(MSG1))
2947 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2948 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2949 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2950 || !TEST_size_t_eq(written, strlen(MSG2)))
2953 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2954 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2960 SSL_SESSION_free(sess);
2961 SSL_SESSION_free(clientpsk);
2962 SSL_SESSION_free(serverpsk);
2963 clientpsk = serverpsk = NULL;
2964 SSL_free(serverssl);
2965 SSL_free(clientssl);
2971 static int hostname_cb(SSL *s, int *al, void *arg)
2973 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2975 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2976 return SSL_TLSEXT_ERR_OK;
2978 return SSL_TLSEXT_ERR_NOACK;
2981 static const char *servalpn;
2983 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2984 unsigned char *outlen, const unsigned char *in,
2985 unsigned int inlen, void *arg)
2987 unsigned int protlen = 0;
2988 const unsigned char *prot;
2990 for (prot = in; prot < in + inlen; prot += protlen) {
2992 if (in + inlen < prot + protlen)
2993 return SSL_TLSEXT_ERR_NOACK;
2995 if (protlen == strlen(servalpn)
2996 && memcmp(prot, servalpn, protlen) == 0) {
2999 return SSL_TLSEXT_ERR_OK;
3003 return SSL_TLSEXT_ERR_NOACK;
3006 /* Test that a PSK can be used to send early_data */
3007 static int test_early_data_psk(int idx)
3009 SSL_CTX *cctx = NULL, *sctx = NULL;
3010 SSL *clientssl = NULL, *serverssl = NULL;
3012 SSL_SESSION *sess = NULL;
3013 unsigned char alpnlist[] = {
3014 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3017 #define GOODALPNLEN 9
3018 #define BADALPNLEN 8
3019 #define GOODALPN (alpnlist)
3020 #define BADALPN (alpnlist + GOODALPNLEN)
3022 unsigned char buf[20];
3023 size_t readbytes, written;
3024 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3025 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3027 /* We always set this up with a final parameter of "2" for PSK */
3028 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3029 &serverssl, &sess, 2)))
3032 servalpn = "goodalpn";
3035 * Note: There is no test for inconsistent SNI with late client detection.
3036 * This is because servers do not acknowledge SNI even if they are using
3037 * it in a resumption handshake - so it is not actually possible for a
3038 * client to detect a problem.
3042 /* Set inconsistent SNI (early client detection) */
3043 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3044 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3045 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3050 /* Set inconsistent ALPN (early client detection) */
3051 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3052 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3053 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3055 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3062 * Set invalid protocol version. Technically this affects PSKs without
3063 * early_data too, but we test it here because it is similar to the
3064 * SNI/ALPN consistency tests.
3066 err = SSL_R_BAD_PSK;
3067 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3073 * Set inconsistent SNI (server detected). In this case the connection
3074 * will succeed but reject early_data.
3076 SSL_SESSION_free(serverpsk);
3077 serverpsk = SSL_SESSION_dup(clientpsk);
3078 if (!TEST_ptr(serverpsk)
3079 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3081 edstatus = SSL_EARLY_DATA_REJECTED;
3082 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3085 /* Set consistent SNI */
3086 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3087 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3088 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3095 * Set inconsistent ALPN (server detected). In this case the connection
3096 * will succeed but reject early_data.
3098 servalpn = "badalpn";
3099 edstatus = SSL_EARLY_DATA_REJECTED;
3100 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3104 * Set consistent ALPN.
3105 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3106 * accepts a list of protos (each one length prefixed).
3107 * SSL_set1_alpn_selected accepts a single protocol (not length
3110 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3112 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3116 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3120 /* Set inconsistent ALPN (late client detection) */
3121 SSL_SESSION_free(serverpsk);
3122 serverpsk = SSL_SESSION_dup(clientpsk);
3123 if (!TEST_ptr(serverpsk)
3124 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3127 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3130 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3133 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3134 edstatus = SSL_EARLY_DATA_ACCEPTED;
3135 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3136 /* SSL_connect() call should fail */
3141 TEST_error("Bad test index");
3145 SSL_set_connect_state(clientssl);
3147 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3149 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3150 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3153 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3157 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3158 &readbytes), readearlyres)
3159 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3160 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3161 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3162 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3169 SSL_SESSION_free(sess);
3170 SSL_SESSION_free(clientpsk);
3171 SSL_SESSION_free(serverpsk);
3172 clientpsk = serverpsk = NULL;
3173 SSL_free(serverssl);
3174 SSL_free(clientssl);
3181 * Test that a server that doesn't try to read early data can handle a
3182 * client sending some.
3184 static int test_early_data_not_expected(int idx)
3186 SSL_CTX *cctx = NULL, *sctx = NULL;
3187 SSL *clientssl = NULL, *serverssl = NULL;
3189 SSL_SESSION *sess = NULL;
3190 unsigned char buf[20];
3191 size_t readbytes, written;
3193 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3194 &serverssl, &sess, idx)))
3197 /* Write some early data */
3198 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3203 * Server should skip over early data and then block waiting for client to
3204 * continue handshake
3206 if (!TEST_int_le(SSL_accept(serverssl), 0)
3207 || !TEST_int_gt(SSL_connect(clientssl), 0)
3208 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3209 SSL_EARLY_DATA_REJECTED)
3210 || !TEST_int_gt(SSL_accept(serverssl), 0)
3211 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3212 SSL_EARLY_DATA_REJECTED))
3215 /* Send some normal data from client to server */
3216 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3217 || !TEST_size_t_eq(written, strlen(MSG2)))
3220 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3221 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3227 SSL_SESSION_free(sess);
3228 SSL_SESSION_free(clientpsk);
3229 SSL_SESSION_free(serverpsk);
3230 clientpsk = serverpsk = NULL;
3231 SSL_free(serverssl);
3232 SSL_free(clientssl);
3239 # ifndef OPENSSL_NO_TLS1_2
3241 * Test that a server attempting to read early data can handle a connection
3242 * from a TLSv1.2 client.
3244 static int test_early_data_tls1_2(int idx)
3246 SSL_CTX *cctx = NULL, *sctx = NULL;
3247 SSL *clientssl = NULL, *serverssl = NULL;
3249 unsigned char buf[20];
3250 size_t readbytes, written;
3252 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3253 &serverssl, NULL, idx)))
3256 /* Write some data - should block due to handshake with server */
3257 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3258 SSL_set_connect_state(clientssl);
3259 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3263 * Server should do TLSv1.2 handshake. First it will block waiting for more
3264 * messages from client after ServerDone. Then SSL_read_early_data should
3265 * finish and detect that early data has not been sent
3267 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3269 SSL_READ_EARLY_DATA_ERROR))
3273 * Continue writing the message we started earlier. Will still block waiting
3274 * for the CCS/Finished from server
3276 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3277 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3279 SSL_READ_EARLY_DATA_FINISH)
3280 || !TEST_size_t_eq(readbytes, 0)
3281 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3282 SSL_EARLY_DATA_NOT_SENT))
3285 /* Continue writing the message we started earlier */
3286 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3287 || !TEST_size_t_eq(written, strlen(MSG1))
3288 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3289 SSL_EARLY_DATA_NOT_SENT)
3290 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3291 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3292 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3293 || !TEST_size_t_eq(written, strlen(MSG2))
3294 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3295 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3301 SSL_SESSION_free(clientpsk);
3302 SSL_SESSION_free(serverpsk);
3303 clientpsk = serverpsk = NULL;
3304 SSL_free(serverssl);
3305 SSL_free(clientssl);
3311 # endif /* OPENSSL_NO_TLS1_2 */
3314 * Test configuring the TLSv1.3 ciphersuites
3316 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3317 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3318 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3319 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3320 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3321 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3322 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3323 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3324 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3325 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3327 static int test_set_ciphersuite(int idx)
3329 SSL_CTX *cctx = NULL, *sctx = NULL;
3330 SSL *clientssl = NULL, *serverssl = NULL;
3333 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3335 &sctx, &cctx, cert, privkey))
3336 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3337 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3340 if (idx >=4 && idx <= 7) {
3341 /* SSL_CTX explicit cipher list */
3342 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3346 if (idx == 0 || idx == 4) {
3347 /* Default ciphersuite */
3348 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3349 "TLS_AES_128_GCM_SHA256")))
3351 } else if (idx == 1 || idx == 5) {
3352 /* Non default ciphersuite */
3353 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3354 "TLS_AES_128_CCM_SHA256")))
3358 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3359 &clientssl, NULL, NULL)))
3362 if (idx == 8 || idx == 9) {
3363 /* SSL explicit cipher list */
3364 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3368 if (idx == 2 || idx == 6 || idx == 8) {
3369 /* Default ciphersuite */
3370 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3371 "TLS_AES_128_GCM_SHA256")))
3373 } else if (idx == 3 || idx == 7 || idx == 9) {
3374 /* Non default ciphersuite */
3375 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3376 "TLS_AES_128_CCM_SHA256")))
3380 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3386 SSL_free(serverssl);
3387 SSL_free(clientssl);
3394 static int test_ciphersuite_change(void)
3396 SSL_CTX *cctx = NULL, *sctx = NULL;
3397 SSL *clientssl = NULL, *serverssl = NULL;
3398 SSL_SESSION *clntsess = NULL;
3400 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3402 /* Create a session based on SHA-256 */
3403 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3405 &sctx, &cctx, cert, privkey))
3406 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3407 "TLS_AES_128_GCM_SHA256"))
3408 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3409 &clientssl, NULL, NULL))
3410 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3414 clntsess = SSL_get1_session(clientssl);
3415 /* Save for later */
3416 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3417 SSL_shutdown(clientssl);
3418 SSL_shutdown(serverssl);
3419 SSL_free(serverssl);
3420 SSL_free(clientssl);
3421 serverssl = clientssl = NULL;
3423 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3424 /* Check we can resume a session with a different SHA-256 ciphersuite */
3425 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3426 "TLS_CHACHA20_POLY1305_SHA256"))
3427 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3429 || !TEST_true(SSL_set_session(clientssl, clntsess))
3430 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3432 || !TEST_true(SSL_session_reused(clientssl)))
3435 SSL_SESSION_free(clntsess);
3436 clntsess = SSL_get1_session(clientssl);
3437 SSL_shutdown(clientssl);
3438 SSL_shutdown(serverssl);
3439 SSL_free(serverssl);
3440 SSL_free(clientssl);
3441 serverssl = clientssl = NULL;
3445 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3446 * succeeds but does not resume.
3448 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3449 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3451 || !TEST_true(SSL_set_session(clientssl, clntsess))
3452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3454 || !TEST_false(SSL_session_reused(clientssl)))
3457 SSL_SESSION_free(clntsess);
3459 SSL_shutdown(clientssl);
3460 SSL_shutdown(serverssl);
3461 SSL_free(serverssl);
3462 SSL_free(clientssl);
3463 serverssl = clientssl = NULL;
3465 /* Create a session based on SHA384 */
3466 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3467 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3468 &clientssl, NULL, NULL))
3469 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3473 clntsess = SSL_get1_session(clientssl);
3474 SSL_shutdown(clientssl);
3475 SSL_shutdown(serverssl);
3476 SSL_free(serverssl);
3477 SSL_free(clientssl);
3478 serverssl = clientssl = NULL;
3480 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3481 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3482 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3483 "TLS_AES_256_GCM_SHA384"))
3484 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3486 || !TEST_true(SSL_set_session(clientssl, clntsess))
3488 * We use SSL_ERROR_WANT_READ below so that we can pause the
3489 * connection after the initial ClientHello has been sent to
3490 * enable us to make some session changes.
3492 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3493 SSL_ERROR_WANT_READ)))
3496 /* Trick the client into thinking this session is for a different digest */
3497 clntsess->cipher = aes_128_gcm_sha256;
3498 clntsess->cipher_id = clntsess->cipher->id;
3501 * Continue the previously started connection. Server has selected a SHA-384
3502 * ciphersuite, but client thinks the session is for SHA-256, so it should
3505 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3507 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3508 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3514 SSL_SESSION_free(clntsess);
3515 SSL_free(serverssl);
3516 SSL_free(clientssl);
3525 * Test 0 = Test new style callbacks
3526 * Test 1 = Test both new and old style callbacks
3527 * Test 2 = Test old style callbacks
3528 * Test 3 = Test old style callbacks with no certificate
3530 static int test_tls13_psk(int idx)
3532 SSL_CTX *sctx = NULL, *cctx = NULL;
3533 SSL *serverssl = NULL, *clientssl = NULL;
3534 const SSL_CIPHER *cipher = NULL;
3535 const unsigned char key[] = {
3536 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3537 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3538 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3539 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3543 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3545 &sctx, &cctx, idx == 3 ? NULL : cert,
3546 idx == 3 ? NULL : privkey)))
3551 * We use a ciphersuite with SHA256 to ease testing old style PSK
3552 * callbacks which will always default to SHA256. This should not be
3553 * necessary if we have no cert/priv key. In that case the server should
3554 * prefer SHA256 automatically.
3556 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3557 "TLS_AES_128_GCM_SHA256")))
3562 * Test 0: New style callbacks only
3563 * Test 1: New and old style callbacks (only the new ones should be used)
3564 * Test 2: Old style callbacks only
3566 if (idx == 0 || idx == 1) {
3567 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3568 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3570 #ifndef OPENSSL_NO_PSK
3572 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3573 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3577 use_session_cb_cnt = 0;
3578 find_session_cb_cnt = 0;
3579 psk_client_cb_cnt = 0;
3580 psk_server_cb_cnt = 0;
3584 * Check we can create a connection if callback decides not to send a
3587 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3589 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3591 || !TEST_false(SSL_session_reused(clientssl))
3592 || !TEST_false(SSL_session_reused(serverssl)))
3595 if (idx == 0 || idx == 1) {
3596 if (!TEST_true(use_session_cb_cnt == 1)
3597 || !TEST_true(find_session_cb_cnt == 0)
3599 * If no old style callback then below should be 0
3602 || !TEST_true(psk_client_cb_cnt == idx)
3603 || !TEST_true(psk_server_cb_cnt == 0))
3606 if (!TEST_true(use_session_cb_cnt == 0)
3607 || !TEST_true(find_session_cb_cnt == 0)
3608 || !TEST_true(psk_client_cb_cnt == 1)
3609 || !TEST_true(psk_server_cb_cnt == 0))
3613 shutdown_ssl_connection(serverssl, clientssl);
3614 serverssl = clientssl = NULL;
3615 use_session_cb_cnt = psk_client_cb_cnt = 0;
3618 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3622 /* Create the PSK */
3623 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3624 clientpsk = SSL_SESSION_new();
3625 if (!TEST_ptr(clientpsk)
3626 || !TEST_ptr(cipher)
3627 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3629 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3630 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3632 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3634 serverpsk = clientpsk;
3636 /* Check we can create a connection and the PSK is used */
3637 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3638 || !TEST_true(SSL_session_reused(clientssl))
3639 || !TEST_true(SSL_session_reused(serverssl)))
3642 if (idx == 0 || idx == 1) {
3643 if (!TEST_true(use_session_cb_cnt == 1)
3644 || !TEST_true(find_session_cb_cnt == 1)
3645 || !TEST_true(psk_client_cb_cnt == 0)
3646 || !TEST_true(psk_server_cb_cnt == 0))
3649 if (!TEST_true(use_session_cb_cnt == 0)
3650 || !TEST_true(find_session_cb_cnt == 0)
3651 || !TEST_true(psk_client_cb_cnt == 1)
3652 || !TEST_true(psk_server_cb_cnt == 1))
3656 shutdown_ssl_connection(serverssl, clientssl);
3657 serverssl = clientssl = NULL;
3658 use_session_cb_cnt = find_session_cb_cnt = 0;
3659 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3661 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3666 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3670 * Check we can create a connection, the PSK is used and the callbacks are
3673 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3674 || !TEST_true(SSL_session_reused(clientssl))
3675 || !TEST_true(SSL_session_reused(serverssl)))
3678 if (idx == 0 || idx == 1) {
3679 if (!TEST_true(use_session_cb_cnt == 2)
3680 || !TEST_true(find_session_cb_cnt == 2)
3681 || !TEST_true(psk_client_cb_cnt == 0)
3682 || !TEST_true(psk_server_cb_cnt == 0))
3685 if (!TEST_true(use_session_cb_cnt == 0)
3686 || !TEST_true(find_session_cb_cnt == 0)
3687 || !TEST_true(psk_client_cb_cnt == 2)
3688 || !TEST_true(psk_server_cb_cnt == 2))
3692 shutdown_ssl_connection(serverssl, clientssl);
3693 serverssl = clientssl = NULL;
3694 use_session_cb_cnt = find_session_cb_cnt = 0;
3695 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3699 * Check that if the server rejects the PSK we can still connect, but with
3702 srvid = "Dummy Identity";
3703 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3705 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3707 || !TEST_false(SSL_session_reused(clientssl))
3708 || !TEST_false(SSL_session_reused(serverssl)))
3711 if (idx == 0 || idx == 1) {
3712 if (!TEST_true(use_session_cb_cnt == 1)
3713 || !TEST_true(find_session_cb_cnt == 1)
3714 || !TEST_true(psk_client_cb_cnt == 0)
3716 * If no old style callback then below should be 0
3719 || !TEST_true(psk_server_cb_cnt == idx))
3722 if (!TEST_true(use_session_cb_cnt == 0)
3723 || !TEST_true(find_session_cb_cnt == 0)
3724 || !TEST_true(psk_client_cb_cnt == 1)
3725 || !TEST_true(psk_server_cb_cnt == 1))
3729 shutdown_ssl_connection(serverssl, clientssl);
3730 serverssl = clientssl = NULL;
3735 SSL_SESSION_free(clientpsk);
3736 SSL_SESSION_free(serverpsk);
3737 clientpsk = serverpsk = NULL;
3738 SSL_free(serverssl);
3739 SSL_free(clientssl);
3745 static unsigned char cookie_magic_value[] = "cookie magic";
3747 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3748 unsigned int *cookie_len)
3751 * Not suitable as a real cookie generation function but good enough for
3754 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3755 *cookie_len = sizeof(cookie_magic_value) - 1;
3760 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3761 unsigned int cookie_len)
3763 if (cookie_len == sizeof(cookie_magic_value) - 1
3764 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3770 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3774 int res = generate_cookie_callback(ssl, cookie, &temp);
3779 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3782 return verify_cookie_callback(ssl, cookie, cookie_len);
3785 static int test_stateless(void)
3787 SSL_CTX *sctx = NULL, *cctx = NULL;
3788 SSL *serverssl = NULL, *clientssl = NULL;
3791 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3793 &sctx, &cctx, cert, privkey)))
3796 /* The arrival of CCS messages can confuse the test */
3797 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3801 /* Send the first ClientHello */
3802 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3803 SSL_ERROR_WANT_READ))
3805 * This should fail with a -1 return because we have no callbacks
3808 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3811 /* Fatal error so abandon the connection from this client */
3812 SSL_free(clientssl);
3815 /* Set up the cookie generation and verification callbacks */
3816 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3817 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3820 * Create a new connection from the client (we can reuse the server SSL
3823 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3825 /* Send the first ClientHello */
3826 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3827 SSL_ERROR_WANT_READ))
3828 /* This should fail because there is no cookie */
3829 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3832 /* Abandon the connection from this client */
3833 SSL_free(clientssl);
3837 * Now create a connection from a new client but with the same server SSL
3840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3842 /* Send the first ClientHello */
3843 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3844 SSL_ERROR_WANT_READ))
3845 /* This should fail because there is no cookie */
3846 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3847 /* Send the second ClientHello */
3848 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3849 SSL_ERROR_WANT_READ))
3850 /* This should succeed because a cookie is now present */
3851 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3852 /* Complete the connection */
3853 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3857 shutdown_ssl_connection(serverssl, clientssl);
3858 serverssl = clientssl = NULL;
3862 SSL_free(serverssl);
3863 SSL_free(clientssl);
3869 #endif /* OPENSSL_NO_TLS1_3 */
3871 static int clntaddoldcb = 0;
3872 static int clntparseoldcb = 0;
3873 static int srvaddoldcb = 0;
3874 static int srvparseoldcb = 0;
3875 static int clntaddnewcb = 0;
3876 static int clntparsenewcb = 0;
3877 static int srvaddnewcb = 0;
3878 static int srvparsenewcb = 0;
3879 static int snicb = 0;
3881 #define TEST_EXT_TYPE1 0xff00
3883 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3884 size_t *outlen, int *al, void *add_arg)
3886 int *server = (int *)add_arg;
3887 unsigned char *data;
3889 if (SSL_is_server(s))
3894 if (*server != SSL_is_server(s)
3895 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3900 *outlen = sizeof(char);
3904 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3907 OPENSSL_free((unsigned char *)out);
3910 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3911 size_t inlen, int *al, void *parse_arg)
3913 int *server = (int *)parse_arg;
3915 if (SSL_is_server(s))
3920 if (*server != SSL_is_server(s)
3921 || inlen != sizeof(char)
3928 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3929 const unsigned char **out, size_t *outlen, X509 *x,
3930 size_t chainidx, int *al, void *add_arg)
3932 int *server = (int *)add_arg;
3933 unsigned char *data;
3935 if (SSL_is_server(s))
3940 if (*server != SSL_is_server(s)
3941 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3946 *outlen = sizeof(*data);
3950 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3951 const unsigned char *out, void *add_arg)
3953 OPENSSL_free((unsigned char *)out);
3956 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3957 const unsigned char *in, size_t inlen, X509 *x,
3958 size_t chainidx, int *al, void *parse_arg)
3960 int *server = (int *)parse_arg;
3962 if (SSL_is_server(s))
3967 if (*server != SSL_is_server(s)
3968 || inlen != sizeof(char) || *in != 1)
3974 static int sni_cb(SSL *s, int *al, void *arg)
3976 SSL_CTX *ctx = (SSL_CTX *)arg;
3978 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3979 *al = SSL_AD_INTERNAL_ERROR;
3980 return SSL_TLSEXT_ERR_ALERT_FATAL;
3983 return SSL_TLSEXT_ERR_OK;
3987 * Custom call back tests.
3988 * Test 0: Old style callbacks in TLSv1.2
3989 * Test 1: New style callbacks in TLSv1.2
3990 * Test 2: New style callbacks in TLSv1.2 with SNI
3991 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3992 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3994 static int test_custom_exts(int tst)
3996 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3997 SSL *clientssl = NULL, *serverssl = NULL;
3999 static int server = 1;
4000 static int client = 0;
4001 SSL_SESSION *sess = NULL;
4002 unsigned int context;
4004 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4005 /* Skip tests for TLSv1.2 and below in this case */
4010 /* Reset callback counters */
4011 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4012 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4015 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4017 &sctx, &cctx, cert, privkey)))
4021 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4023 &sctx2, NULL, cert, privkey)))
4028 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4029 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4031 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4035 context = SSL_EXT_CLIENT_HELLO
4036 | SSL_EXT_TLS1_2_SERVER_HELLO
4037 | SSL_EXT_TLS1_3_SERVER_HELLO
4038 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4039 | SSL_EXT_TLS1_3_CERTIFICATE
4040 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4042 context = SSL_EXT_CLIENT_HELLO
4043 | SSL_EXT_TLS1_2_SERVER_HELLO
4044 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4047 /* Create a client side custom extension */
4049 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4050 old_add_cb, old_free_cb,
4051 &client, old_parse_cb,
4055 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4056 new_add_cb, new_free_cb,
4057 &client, new_parse_cb, &client)))
4061 /* Should not be able to add duplicates */
4062 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4063 old_add_cb, old_free_cb,
4064 &client, old_parse_cb,
4066 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4067 context, new_add_cb,
4068 new_free_cb, &client,
4069 new_parse_cb, &client)))
4072 /* Create a server side custom extension */
4074 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4075 old_add_cb, old_free_cb,
4076 &server, old_parse_cb,
4080 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4081 new_add_cb, new_free_cb,
4082 &server, new_parse_cb, &server)))
4085 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4086 context, new_add_cb,
4087 new_free_cb, &server,
4088 new_parse_cb, &server)))
4092 /* Should not be able to add duplicates */
4093 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4094 old_add_cb, old_free_cb,
4095 &server, old_parse_cb,
4097 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4098 context, new_add_cb,
4099 new_free_cb, &server,
4100 new_parse_cb, &server)))
4105 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4106 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4110 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4111 &clientssl, NULL, NULL))
4112 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4117 if (clntaddoldcb != 1
4118 || clntparseoldcb != 1
4120 || srvparseoldcb != 1)
4122 } else if (tst == 1 || tst == 2 || tst == 3) {
4123 if (clntaddnewcb != 1
4124 || clntparsenewcb != 1
4126 || srvparsenewcb != 1
4127 || (tst != 2 && snicb != 0)
4128 || (tst == 2 && snicb != 1))
4131 /* In this case there 2 NewSessionTicket messages created */
4132 if (clntaddnewcb != 1
4133 || clntparsenewcb != 5
4135 || srvparsenewcb != 1)
4139 sess = SSL_get1_session(clientssl);
4140 SSL_shutdown(clientssl);
4141 SSL_shutdown(serverssl);
4142 SSL_free(serverssl);
4143 SSL_free(clientssl);
4144 serverssl = clientssl = NULL;
4147 /* We don't bother with the resumption aspects for this test */
4152 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4154 || !TEST_true(SSL_set_session(clientssl, sess))
4155 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4160 * For a resumed session we expect to add the ClientHello extension. For the
4161 * old style callbacks we ignore it on the server side because they set
4162 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4166 if (clntaddoldcb != 2
4167 || clntparseoldcb != 1
4169 || srvparseoldcb != 1)
4171 } else if (tst == 1 || tst == 2 || tst == 3) {
4172 if (clntaddnewcb != 2
4173 || clntparsenewcb != 2
4175 || srvparsenewcb != 2)
4179 * No Certificate message extensions in the resumption handshake,
4180 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4182 if (clntaddnewcb != 2
4183 || clntparsenewcb != 8
4185 || srvparsenewcb != 2)
4192 SSL_SESSION_free(sess);
4193 SSL_free(serverssl);
4194 SSL_free(clientssl);
4195 SSL_CTX_free(sctx2);
4202 * Test loading of serverinfo data in various formats. test_sslmessages actually
4203 * tests to make sure the extensions appear in the handshake
4205 static int test_serverinfo(int tst)
4207 unsigned int version;
4208 unsigned char *sibuf;
4210 int ret, expected, testresult = 0;
4213 ctx = SSL_CTX_new(TLS_method());
4217 if ((tst & 0x01) == 0x01)
4218 version = SSL_SERVERINFOV2;
4220 version = SSL_SERVERINFOV1;
4222 if ((tst & 0x02) == 0x02) {
4223 sibuf = serverinfov2;
4224 sibuflen = sizeof(serverinfov2);
4225 expected = (version == SSL_SERVERINFOV2);
4227 sibuf = serverinfov1;
4228 sibuflen = sizeof(serverinfov1);
4229 expected = (version == SSL_SERVERINFOV1);
4232 if ((tst & 0x04) == 0x04) {
4233 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4235 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4238 * The version variable is irrelevant in this case - it's what is in the
4239 * buffer that matters
4241 if ((tst & 0x02) == 0x02)
4247 if (!TEST_true(ret == expected))
4259 * Test that SSL_export_keying_material() produces expected results. There are
4260 * no test vectors so all we do is test that both sides of the communication
4261 * produce the same results for different protocol versions.
4263 #define SMALL_LABEL_LEN 10
4264 #define LONG_LABEL_LEN 249
4265 static int test_export_key_mat(int tst)
4268 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4269 SSL *clientssl = NULL, *serverssl = NULL;
4270 const char label[LONG_LABEL_LEN + 1] = "test label";
4271 const unsigned char context[] = "context";
4272 const unsigned char *emptycontext = NULL;
4273 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4274 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4276 const int protocols[] = {
4285 #ifdef OPENSSL_NO_TLS1
4289 #ifdef OPENSSL_NO_TLS1_1
4293 #ifdef OPENSSL_NO_TLS1_2
4297 #ifdef OPENSSL_NO_TLS1_3
4301 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4303 &sctx, &cctx, cert, privkey)))
4306 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4307 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4308 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4310 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4312 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4318 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4321 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4322 sizeof(ckeymat1), label,
4323 LONG_LABEL_LEN + 1, context,
4324 sizeof(context) - 1, 1), 0))
4329 } else if (tst == 4) {
4330 labellen = LONG_LABEL_LEN;
4332 labellen = SMALL_LABEL_LEN;
4335 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4336 sizeof(ckeymat1), label,
4338 sizeof(context) - 1, 1), 1)
4339 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4340 sizeof(ckeymat2), label,
4344 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4345 sizeof(ckeymat3), label,
4348 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4349 sizeof(skeymat1), label,
4352 sizeof(context) -1, 1),
4354 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4355 sizeof(skeymat2), label,
4359 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4360 sizeof(skeymat3), label,
4364 * Check that both sides created the same key material with the
4367 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4370 * Check that both sides created the same key material with an
4373 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4376 * Check that both sides created the same key material without a
4379 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4381 /* Different contexts should produce different results */
4382 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4387 * Check that an empty context and no context produce different results in
4388 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4390 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4392 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4399 SSL_free(serverssl);
4400 SSL_free(clientssl);
4401 SSL_CTX_free(sctx2);
4408 #ifndef OPENSSL_NO_TLS1_3
4410 * Test that SSL_export_keying_material_early() produces expected
4411 * results. There are no test vectors so all we do is test that both
4412 * sides of the communication produce the same results for different
4413 * protocol versions.
4415 static int test_export_key_mat_early(int idx)
4417 static const char label[] = "test label";
4418 static const unsigned char context[] = "context";
4420 SSL_CTX *cctx = NULL, *sctx = NULL;
4421 SSL *clientssl = NULL, *serverssl = NULL;
4422 SSL_SESSION *sess = NULL;
4423 const unsigned char *emptycontext = NULL;
4424 unsigned char ckeymat1[80], ckeymat2[80];
4425 unsigned char skeymat1[80], skeymat2[80];
4426 unsigned char buf[1];
4427 size_t readbytes, written;
4429 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4433 /* Here writing 0 length early data is enough. */
4434 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4435 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4437 SSL_READ_EARLY_DATA_ERROR)
4438 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4439 SSL_EARLY_DATA_ACCEPTED))
4442 if (!TEST_int_eq(SSL_export_keying_material_early(
4443 clientssl, ckeymat1, sizeof(ckeymat1), label,
4444 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4445 || !TEST_int_eq(SSL_export_keying_material_early(
4446 clientssl, ckeymat2, sizeof(ckeymat2), label,
4447 sizeof(label) - 1, emptycontext, 0), 1)
4448 || !TEST_int_eq(SSL_export_keying_material_early(
4449 serverssl, skeymat1, sizeof(skeymat1), label,
4450 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4451 || !TEST_int_eq(SSL_export_keying_material_early(
4452 serverssl, skeymat2, sizeof(skeymat2), label,
4453 sizeof(label) - 1, emptycontext, 0), 1)
4455 * Check that both sides created the same key material with the
4458 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4461 * Check that both sides created the same key material with an
4464 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4466 /* Different contexts should produce different results */
4467 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4474 SSL_SESSION_free(sess);
4475 SSL_SESSION_free(clientpsk);
4476 SSL_SESSION_free(serverpsk);
4477 clientpsk = serverpsk = NULL;
4478 SSL_free(serverssl);
4479 SSL_free(clientssl);
4486 #define NUM_KEY_UPDATE_MESSAGES 40
4490 static int test_key_update(void)
4492 SSL_CTX *cctx = NULL, *sctx = NULL;
4493 SSL *clientssl = NULL, *serverssl = NULL;
4494 int testresult = 0, i, j;
4496 static char *mess = "A test message";
4498 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4499 TLS_client_method(),
4502 &sctx, &cctx, cert, privkey))
4503 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4505 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4509 for (j = 0; j < 2; j++) {
4510 /* Send lots of KeyUpdate messages */
4511 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
4512 if (!TEST_true(SSL_key_update(clientssl,
4514 ? SSL_KEY_UPDATE_NOT_REQUESTED
4515 : SSL_KEY_UPDATE_REQUESTED))
4516 || !TEST_true(SSL_do_handshake(clientssl)))
4520 /* Check that sending and receiving app data is ok */
4521 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
4522 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
4530 SSL_free(serverssl);
4531 SSL_free(clientssl);
4537 #endif /* OPENSSL_NO_TLS1_3 */
4539 static int test_ssl_clear(int idx)
4541 SSL_CTX *cctx = NULL, *sctx = NULL;
4542 SSL *clientssl = NULL, *serverssl = NULL;
4545 #ifdef OPENSSL_NO_TLS1_2
4550 /* Create an initial connection */
4551 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4553 &sctx, &cctx, cert, privkey))
4555 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4557 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4558 &clientssl, NULL, NULL))
4559 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4563 SSL_shutdown(clientssl);
4564 SSL_shutdown(serverssl);
4565 SSL_free(serverssl);
4568 /* Clear clientssl - we're going to reuse the object */
4569 if (!TEST_true(SSL_clear(clientssl)))
4572 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4574 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4576 || !TEST_true(SSL_session_reused(clientssl)))
4579 SSL_shutdown(clientssl);
4580 SSL_shutdown(serverssl);
4585 SSL_free(serverssl);
4586 SSL_free(clientssl);
4593 /* Parse CH and retrieve any MFL extension value if present */
4594 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4597 unsigned char *data;
4598 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4599 unsigned int MFL_code = 0, type = 0;
4601 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4604 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4605 /* Skip the record header */
4606 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4607 /* Skip the handshake message header */
4608 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4609 /* Skip client version and random */
4610 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4611 + SSL3_RANDOM_SIZE))
4612 /* Skip session id */
4613 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4615 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4616 /* Skip compression */
4617 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4618 /* Extensions len */
4619 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4622 /* Loop through all extensions */
4623 while (PACKET_remaining(&pkt2)) {
4624 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4625 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4628 if (type == TLSEXT_TYPE_max_fragment_length) {
4629 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4630 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4633 *mfl_codemfl_code = MFL_code;
4642 /* Maximum-Fragment-Length TLS extension mode to test */
4643 static const unsigned char max_fragment_len_test[] = {
4644 TLSEXT_max_fragment_length_512,
4645 TLSEXT_max_fragment_length_1024,
4646 TLSEXT_max_fragment_length_2048,
4647 TLSEXT_max_fragment_length_4096
4650 static int test_max_fragment_len_ext(int idx_tst)
4654 int testresult = 0, MFL_mode = 0;
4657 ctx = SSL_CTX_new(TLS_method());
4661 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4662 ctx, max_fragment_len_test[idx_tst])))
4669 rbio = BIO_new(BIO_s_mem());
4670 wbio = BIO_new(BIO_s_mem());
4671 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4677 SSL_set_bio(con, rbio, wbio);
4678 SSL_set_connect_state(con);
4680 if (!TEST_int_le(SSL_connect(con), 0)) {
4681 /* This shouldn't succeed because we don't have a server! */
4685 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4686 /* no MFL in client hello */
4688 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4700 #ifndef OPENSSL_NO_TLS1_3
4701 static int test_pha_key_update(void)
4703 SSL_CTX *cctx = NULL, *sctx = NULL;
4704 SSL *clientssl = NULL, *serverssl = NULL;
4707 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4709 &sctx, &cctx, cert, privkey)))
4712 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4713 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4714 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4715 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4718 SSL_CTX_set_post_handshake_auth(cctx, 1);
4720 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4724 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4728 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4729 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4732 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4735 /* Start handshake on the server */
4736 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4739 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4740 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4744 SSL_shutdown(clientssl);
4745 SSL_shutdown(serverssl);
4750 SSL_free(serverssl);
4751 SSL_free(clientssl);
4758 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4760 static SRP_VBASE *vbase = NULL;
4762 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4764 int ret = SSL3_AL_FATAL;
4766 SRP_user_pwd *user = NULL;
4768 username = SSL_get_srp_username(s);
4769 if (username == NULL) {
4770 *ad = SSL_AD_INTERNAL_ERROR;
4774 user = SRP_VBASE_get1_by_user(vbase, username);
4776 *ad = SSL_AD_INTERNAL_ERROR;
4780 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4782 *ad = SSL_AD_INTERNAL_ERROR;
4789 SRP_user_pwd_free(user);
4793 static int create_new_vfile(char *userid, char *password, const char *filename)
4796 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4799 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4802 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4805 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4806 &row[DB_srpverifier], NULL, NULL);
4807 if (!TEST_ptr(gNid))
4811 * The only way to create an empty TXT_DB is to provide a BIO with no data
4814 db = TXT_DB_read(dummy, DB_NUMBER);
4818 out = BIO_new_file(filename, "w");
4822 row[DB_srpid] = OPENSSL_strdup(userid);
4823 row[DB_srptype] = OPENSSL_strdup("V");
4824 row[DB_srpgN] = OPENSSL_strdup(gNid);
4826 if (!TEST_ptr(row[DB_srpid])
4827 || !TEST_ptr(row[DB_srptype])
4828 || !TEST_ptr(row[DB_srpgN])
4829 || !TEST_true(TXT_DB_insert(db, row)))
4834 if (!TXT_DB_write(out, db))
4840 for (i = 0; i < DB_NUMBER; i++)
4841 OPENSSL_free(row[i]);
4851 static int create_new_vbase(char *userid, char *password)
4853 BIGNUM *verifier = NULL, *salt = NULL;
4854 const SRP_gN *lgN = NULL;
4855 SRP_user_pwd *user_pwd = NULL;
4858 lgN = SRP_get_default_gN(NULL);
4862 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4866 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4867 if (!TEST_ptr(user_pwd))
4870 user_pwd->N = lgN->N;
4871 user_pwd->g = lgN->g;
4872 user_pwd->id = OPENSSL_strdup(userid);
4873 if (!TEST_ptr(user_pwd->id))
4876 user_pwd->v = verifier;
4878 verifier = salt = NULL;
4880 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4886 SRP_user_pwd_free(user_pwd);
4896 * Test 0: Simple successful SRP connection, new vbase
4897 * Test 1: Connection failure due to bad password, new vbase
4898 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4899 * Test 3: Connection failure due to bad password, vbase loaded from existing
4901 * Test 4: Simple successful SRP connection, vbase loaded from new file
4902 * Test 5: Connection failure due to bad password, vbase loaded from new file
4904 static int test_srp(int tst)
4906 char *userid = "test", *password = "password", *tstsrpfile;
4907 SSL_CTX *cctx = NULL, *sctx = NULL;
4908 SSL *clientssl = NULL, *serverssl = NULL;
4909 int ret, testresult = 0;
4911 vbase = SRP_VBASE_new(NULL);
4912 if (!TEST_ptr(vbase))
4915 if (tst == 0 || tst == 1) {
4916 if (!TEST_true(create_new_vbase(userid, password)))
4919 if (tst == 4 || tst == 5) {
4920 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4922 tstsrpfile = tmpfilename;
4924 tstsrpfile = srpvfile;
4926 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4930 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4932 &sctx, &cctx, cert, privkey)))
4935 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4936 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4937 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4938 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4939 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4943 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4946 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4950 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4954 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4956 if (!TEST_true(tst % 2 == 0))
4959 if (!TEST_true(tst % 2 == 1))
4966 SRP_VBASE_free(vbase);
4968 SSL_free(serverssl);
4969 SSL_free(clientssl);
4977 static int info_cb_failed = 0;
4978 static int info_cb_offset = 0;
4979 static int info_cb_this_state = -1;
4981 static struct info_cb_states_st {
4983 const char *statestr;
4984 } info_cb_states[][60] = {
4986 /* TLSv1.2 server followed by resumption */
4987 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4988 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4989 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4990 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4991 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4992 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4993 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4994 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4995 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4996 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4997 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4998 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4999 {SSL_CB_EXIT, NULL}, {0, NULL},
5001 /* TLSv1.2 client followed by resumption */
5002 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5003 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5004 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5005 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5006 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5007 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5008 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5009 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5010 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5011 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5012 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5013 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5015 /* TLSv1.3 server followed by resumption */
5016 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5017 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5018 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5019 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5020 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5021 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5022 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5023 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5024 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5025 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5026 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5027 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5028 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5030 /* TLSv1.3 client followed by resumption */
5031 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5032 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5033 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5034 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5035 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5036 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5037 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5038 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5039 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5040 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5041 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5042 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5043 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5044 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5045 {SSL_CB_EXIT, NULL}, {0, NULL},
5047 /* TLSv1.3 server, early_data */
5048 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5049 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5050 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5051 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5052 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5053 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5054 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5055 {SSL_CB_EXIT, NULL}, {0, NULL},
5057 /* TLSv1.3 client, early_data */
5058 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5059 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5060 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5061 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5062 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5063 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5064 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5065 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5066 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5072 static void sslapi_info_callback(const SSL *s, int where, int ret)
5074 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5076 /* We do not ever expect a connection to fail in this test */
5077 if (!TEST_false(ret == 0)) {
5083 * Do some sanity checks. We never expect these things to happen in this
5086 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5087 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5088 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5093 /* Now check we're in the right state */
5094 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5098 if ((where & SSL_CB_LOOP) != 0
5099 && !TEST_int_eq(strcmp(SSL_state_string(s),
5100 state[info_cb_this_state].statestr), 0)) {
5106 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5108 if ((where & SSL_CB_HANDSHAKE_DONE)
5109 && SSL_in_init((SSL *)s) != 0) {
5116 * Test the info callback gets called when we expect it to.
5118 * Test 0: TLSv1.2, server
5119 * Test 1: TLSv1.2, client
5120 * Test 2: TLSv1.3, server
5121 * Test 3: TLSv1.3, client
5122 * Test 4: TLSv1.3, server, early_data
5123 * Test 5: TLSv1.3, client, early_data
5125 static int test_info_callback(int tst)
5127 SSL_CTX *cctx = NULL, *sctx = NULL;
5128 SSL *clientssl = NULL, *serverssl = NULL;
5129 SSL_SESSION *clntsess = NULL;
5134 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5135 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5136 || !defined(OPENSSL_NO_DH))
5137 tlsvers = TLS1_2_VERSION;
5142 #ifndef OPENSSL_NO_TLS1_3
5143 tlsvers = TLS1_3_VERSION;
5151 info_cb_this_state = -1;
5152 info_cb_offset = tst;
5154 #ifndef OPENSSL_NO_TLS1_3
5156 SSL_SESSION *sess = NULL;
5157 size_t written, readbytes;
5158 unsigned char buf[80];
5160 /* early_data tests */
5161 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5162 &serverssl, &sess, 0)))
5165 /* We don't actually need this reference */
5166 SSL_SESSION_free(sess);
5168 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5169 sslapi_info_callback);
5171 /* Write and read some early data and then complete the connection */
5172 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5174 || !TEST_size_t_eq(written, strlen(MSG1))
5175 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5176 sizeof(buf), &readbytes),
5177 SSL_READ_EARLY_DATA_SUCCESS)
5178 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5179 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5180 SSL_EARLY_DATA_ACCEPTED)
5181 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5183 || !TEST_false(info_cb_failed))
5191 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5192 TLS_client_method(),
5193 tlsvers, tlsvers, &sctx, &cctx, cert,
5198 * For even numbered tests we check the server callbacks. For odd numbers we
5201 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5202 sslapi_info_callback);
5204 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5205 &clientssl, NULL, NULL))
5206 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5208 || !TEST_false(info_cb_failed))
5213 clntsess = SSL_get1_session(clientssl);
5214 SSL_shutdown(clientssl);
5215 SSL_shutdown(serverssl);
5216 SSL_free(serverssl);
5217 SSL_free(clientssl);
5218 serverssl = clientssl = NULL;
5220 /* Now do a resumption */
5221 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5223 || !TEST_true(SSL_set_session(clientssl, clntsess))
5224 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5226 || !TEST_true(SSL_session_reused(clientssl))
5227 || !TEST_false(info_cb_failed))
5233 SSL_free(serverssl);
5234 SSL_free(clientssl);
5235 SSL_SESSION_free(clntsess);
5241 static int test_ssl_pending(int tst)
5243 SSL_CTX *cctx = NULL, *sctx = NULL;
5244 SSL *clientssl = NULL, *serverssl = NULL;
5246 char msg[] = "A test message";
5248 size_t written, readbytes;
5251 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5252 TLS_client_method(),
5254 &sctx, &cctx, cert, privkey)))
5257 #ifndef OPENSSL_NO_DTLS
5258 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5259 DTLS_client_method(),
5261 &sctx, &cctx, cert, privkey)))
5268 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5270 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5274 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5275 || !TEST_false(SSL_has_pending(clientssl))
5276 || !TEST_int_eq(SSL_pending(serverssl), 0)
5277 || !TEST_false(SSL_has_pending(serverssl))
5278 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5279 || !TEST_size_t_eq(written, sizeof(msg))
5280 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5281 || !TEST_size_t_eq(readbytes, sizeof(buf))
5282 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5283 || !TEST_true(SSL_has_pending(clientssl)))
5289 SSL_free(serverssl);
5290 SSL_free(clientssl);
5298 unsigned int maxprot;
5299 const char *clntciphers;
5300 const char *clnttls13ciphers;
5301 const char *srvrciphers;
5302 const char *srvrtls13ciphers;
5304 } shared_ciphers_data[] = {
5306 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5307 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5309 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5312 "AES128-SHA:AES256-SHA",
5314 "AES256-SHA:DHE-RSA-AES128-SHA",
5320 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5322 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5324 "AES128-SHA:AES256-SHA"
5328 "AES128-SHA:AES256-SHA",
5330 "AES128-SHA:DHE-RSA-AES128-SHA",
5336 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5339 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5340 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5343 "AES128-SHA:AES256-SHA",
5345 "AES256-SHA:AES128-SHA256",
5347 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5348 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5351 #ifndef OPENSSL_NO_TLS1_3
5355 "TLS_AES_256_GCM_SHA384",
5357 "TLS_AES_256_GCM_SHA384",
5358 "TLS_AES_256_GCM_SHA384"
5363 static int test_ssl_get_shared_ciphers(int tst)
5365 SSL_CTX *cctx = NULL, *sctx = NULL;
5366 SSL *clientssl = NULL, *serverssl = NULL;
5370 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5371 TLS_client_method(),
5373 shared_ciphers_data[tst].maxprot,
5374 &sctx, &cctx, cert, privkey)))
5377 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5378 shared_ciphers_data[tst].clntciphers))
5379 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5380 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5381 shared_ciphers_data[tst].clnttls13ciphers)))
5382 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5383 shared_ciphers_data[tst].srvrciphers))
5384 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5385 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5386 shared_ciphers_data[tst].srvrtls13ciphers))))
5390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5396 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5397 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5398 TEST_info("Shared ciphers are: %s\n", buf);
5405 SSL_free(serverssl);
5406 SSL_free(clientssl);
5413 static const char *appdata = "Hello World";
5414 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5415 static int tick_key_renew = 0;
5416 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5418 static int gen_tick_cb(SSL *s, void *arg)
5420 gen_tick_called = 1;
5422 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5426 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5427 const unsigned char *keyname,
5428 size_t keyname_length,
5429 SSL_TICKET_STATUS status,
5435 dec_tick_called = 1;
5437 if (status == SSL_TICKET_EMPTY)
5438 return SSL_TICKET_RETURN_IGNORE_RENEW;
5440 if (!TEST_true(status == SSL_TICKET_SUCCESS
5441 || status == SSL_TICKET_SUCCESS_RENEW))
5442 return SSL_TICKET_RETURN_ABORT;
5444 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5446 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5447 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5448 return SSL_TICKET_RETURN_ABORT;
5450 if (tick_key_cb_called) {
5451 /* Don't change what the ticket key callback wanted to do */
5453 case SSL_TICKET_NO_DECRYPT:
5454 return SSL_TICKET_RETURN_IGNORE_RENEW;
5456 case SSL_TICKET_SUCCESS:
5457 return SSL_TICKET_RETURN_USE;
5459 case SSL_TICKET_SUCCESS_RENEW:
5460 return SSL_TICKET_RETURN_USE_RENEW;
5463 return SSL_TICKET_RETURN_ABORT;
5466 return tick_dec_ret;
5470 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5471 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5472 HMAC_CTX *hctx, int enc)
5474 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5475 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5477 tick_key_cb_called = 1;
5478 memset(iv, 0, AES_BLOCK_SIZE);
5479 memset(key_name, 0, 16);
5480 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5481 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5482 EVP_sha256(), NULL))
5485 return tick_key_renew ? 2 : 1;
5489 * Test the various ticket callbacks
5490 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5491 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5492 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5493 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5494 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5495 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5496 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5497 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5498 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5499 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5500 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5501 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5503 static int test_ticket_callbacks(int tst)
5505 SSL_CTX *cctx = NULL, *sctx = NULL;
5506 SSL *clientssl = NULL, *serverssl = NULL;
5507 SSL_SESSION *clntsess = NULL;
5510 #ifdef OPENSSL_NO_TLS1_2
5514 #ifdef OPENSSL_NO_TLS1_3
5519 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5521 /* Which tests the ticket key callback should request renewal for */
5522 if (tst == 10 || tst == 11)
5527 /* Which tests the decrypt ticket callback should request renewal for */
5531 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5536 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5541 tick_dec_ret = SSL_TICKET_RETURN_USE;
5546 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5550 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5553 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5554 TLS_client_method(),
5556 ((tst % 2) == 0) ? TLS1_2_VERSION
5558 &sctx, &cctx, cert, privkey)))
5562 * We only want sessions to resume from tickets - not the session cache. So
5563 * switch the cache off.
5565 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5568 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5573 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5576 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5578 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5583 * The decrypt ticket key callback in TLSv1.2 should be called even though
5584 * we have no ticket yet, because it gets called with a status of
5585 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5586 * actually send any ticket data). This does not happen in TLSv1.3 because
5587 * it is not valid to send empty ticket data in TLSv1.3.
5589 if (!TEST_int_eq(gen_tick_called, 1)
5590 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5593 gen_tick_called = dec_tick_called = 0;
5595 clntsess = SSL_get1_session(clientssl);
5596 SSL_shutdown(clientssl);
5597 SSL_shutdown(serverssl);
5598 SSL_free(serverssl);
5599 SSL_free(clientssl);
5600 serverssl = clientssl = NULL;
5602 /* Now do a resumption */
5603 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5605 || !TEST_true(SSL_set_session(clientssl, clntsess))
5606 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5610 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5611 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5612 if (!TEST_false(SSL_session_reused(clientssl)))
5615 if (!TEST_true(SSL_session_reused(clientssl)))
5619 if (!TEST_int_eq(gen_tick_called,
5621 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5622 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5624 || !TEST_int_eq(dec_tick_called, 1))
5630 SSL_SESSION_free(clntsess);
5631 SSL_free(serverssl);
5632 SSL_free(clientssl);
5640 * Test bi-directional shutdown.
5642 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5643 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5644 * Test 3: TLSv1.3, pending NewSessionTicket messages
5645 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5646 * sends key update, client reads it
5647 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5648 * sends CertificateRequest, client reads and ignores it
5649 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
5652 static int test_shutdown(int tst)
5654 SSL_CTX *cctx = NULL, *sctx = NULL;
5655 SSL *clientssl = NULL, *serverssl = NULL;
5657 char msg[] = "A test message";
5659 size_t written, readbytes;
5662 #ifdef OPENSSL_NO_TLS1_2
5666 #ifdef OPENSSL_NO_TLS1_3
5671 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5672 TLS_client_method(),
5674 (tst <= 1) ? TLS1_2_VERSION
5676 &sctx, &cctx, cert, privkey)))
5680 SSL_CTX_set_post_handshake_auth(cctx, 1);
5682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5687 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5689 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5690 || !TEST_false(SSL_SESSION_is_resumable(sess)))
5692 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5694 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5695 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
5699 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5704 * Reading on the server after the client has sent close_notify should
5705 * fail and provide SSL_ERROR_ZERO_RETURN
5707 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5708 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5709 SSL_ERROR_ZERO_RETURN)
5710 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5711 SSL_RECEIVED_SHUTDOWN)
5713 * Even though we're shutdown on receive we should still be
5716 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5719 && !TEST_true(SSL_key_update(serverssl,
5720 SSL_KEY_UPDATE_REQUESTED)))
5723 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5724 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5727 if ((tst == 4 || tst == 5)
5728 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5730 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
5732 if (tst == 4 || tst == 5) {
5733 /* Should still be able to read data from server */
5734 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5736 || !TEST_size_t_eq(readbytes, sizeof(msg))
5737 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5738 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5740 || !TEST_size_t_eq(readbytes, sizeof(msg))
5741 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5746 /* Writing on the client after sending close_notify shouldn't be possible */
5747 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5752 * For these tests the client has sent close_notify but it has not yet
5753 * been received by the server. The server has not sent close_notify
5756 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5758 * Writing on the server after sending close_notify shouldn't
5761 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5762 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5763 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5764 || !TEST_true(SSL_SESSION_is_resumable(sess))
5765 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5767 } else if (tst == 4 || tst == 5) {
5769 * In this test the client has sent close_notify and it has been
5770 * received by the server which has responded with a close_notify. The
5771 * client needs to read the close_notify sent by the server.
5773 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
5774 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5775 || !TEST_true(SSL_SESSION_is_resumable(sess)))
5781 * The client has sent close_notify and is expecting a close_notify
5782 * back, but instead there is application data first. The shutdown
5783 * should fail with a fatal error.
5785 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5786 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5793 SSL_free(serverssl);
5794 SSL_free(clientssl);
5801 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5802 static int cert_cb_cnt;
5804 static int cert_cb(SSL *s, void *arg)
5806 SSL_CTX *ctx = (SSL_CTX *)arg;
5808 if (cert_cb_cnt == 0) {
5809 /* Suspend the handshake */
5812 } else if (cert_cb_cnt == 1) {
5814 * Update the SSL_CTX, set the certificate and private key and then
5815 * continue the handshake normally.
5817 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
5820 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
5821 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
5823 || !TEST_true(SSL_check_private_key(s)))
5829 /* Abort the handshake */
5834 * Test the certificate callback.
5835 * Test 0: Callback fails
5836 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
5837 * Test 2: Success - SSL_set_SSL_CTX() in the callback
5839 static int test_cert_cb_int(int prot, int tst)
5841 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
5842 SSL *clientssl = NULL, *serverssl = NULL;
5843 int testresult = 0, ret;
5845 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5846 TLS_client_method(),
5849 &sctx, &cctx, NULL, NULL)))
5857 snictx = SSL_CTX_new(TLS_server_method());
5858 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
5860 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5864 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5865 if (!TEST_true(tst == 0 ? !ret : ret)
5866 || (tst > 0 && !TEST_int_eq(cert_cb_cnt, 2))) {
5873 SSL_free(serverssl);
5874 SSL_free(clientssl);
5877 SSL_CTX_free(snictx);
5883 static int test_cert_cb(int tst)
5887 #ifndef OPENSSL_NO_TLS1_2
5888 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
5890 #ifndef OPENSSL_NO_TLS1_3
5891 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
5897 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
5903 /* Check that SSL_get_peer_certificate() returns something sensible */
5904 peer = SSL_get_peer_certificate(ssl);
5905 if (!TEST_ptr(peer))
5909 in = BIO_new_file(cert, "r");
5913 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
5915 if (!TEST_ptr(xcert))
5918 in = BIO_new_file(privkey, "r");
5919 if (!TEST_ptr(in)) {
5924 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
5926 if (!TEST_ptr(privpkey)) {
5937 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5942 static int test_client_cert_cb(int tst)
5944 SSL_CTX *cctx = NULL, *sctx = NULL;
5945 SSL *clientssl = NULL, *serverssl = NULL;
5948 #ifdef OPENSSL_NO_TLS1_2
5952 #ifdef OPENSSL_NO_TLS1_3
5957 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5958 TLS_client_method(),
5960 tst == 0 ? TLS1_2_VERSION
5962 &sctx, &cctx, cert, privkey)))
5966 * Test that setting a client_cert_cb results in a client certificate being
5969 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
5970 SSL_CTX_set_verify(sctx,
5971 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5974 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5976 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5983 SSL_free(serverssl);
5984 SSL_free(clientssl);
5991 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5993 * Test setting certificate authorities on both client and server.
5995 * Test 0: SSL_CTX_set0_CA_list() only
5996 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
5997 * Test 2: Only SSL_CTX_set_client_CA_list()
5999 static int test_ca_names_int(int prot, int tst)
6001 SSL_CTX *cctx = NULL, *sctx = NULL;
6002 SSL *clientssl = NULL, *serverssl = NULL;
6005 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6006 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6007 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6008 const STACK_OF(X509_NAME) *sktmp = NULL;
6010 for (i = 0; i < OSSL_NELEM(name); i++) {
6011 name[i] = X509_NAME_new();
6012 if (!TEST_ptr(name[i])
6013 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6021 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6022 TLS_client_method(),
6025 &sctx, &cctx, cert, privkey)))
6028 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6030 if (tst == 0 || tst == 1) {
6031 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6032 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6033 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6034 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6035 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6036 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6039 SSL_CTX_set0_CA_list(sctx, sk1);
6040 SSL_CTX_set0_CA_list(cctx, sk2);
6043 if (tst == 1 || tst == 2) {
6044 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6045 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6046 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6047 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6048 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6049 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6052 SSL_CTX_set_client_CA_list(sctx, sk1);
6053 SSL_CTX_set_client_CA_list(cctx, sk2);
6057 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6059 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6064 * We only expect certificate authorities to have been sent to the server
6065 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6067 sktmp = SSL_get0_peer_CA_list(serverssl);
6068 if (prot == TLS1_3_VERSION
6069 && (tst == 0 || tst == 1)) {
6070 if (!TEST_ptr(sktmp)
6071 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6072 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6074 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6077 } else if (!TEST_ptr_null(sktmp)) {
6082 * In all tests we expect certificate authorities to have been sent to the
6083 * client. However, SSL_set_client_CA_list() should override
6084 * SSL_set0_CA_list()
6086 sktmp = SSL_get0_peer_CA_list(clientssl);
6087 if (!TEST_ptr(sktmp)
6088 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6089 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6090 name[tst == 0 ? 0 : 2]), 0)
6091 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6092 name[tst == 0 ? 1 : 3]), 0))
6098 SSL_free(serverssl);
6099 SSL_free(clientssl);
6102 for (i = 0; i < OSSL_NELEM(name); i++)
6103 X509_NAME_free(name[i]);
6104 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6105 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6111 static int test_ca_names(int tst)
6115 #ifndef OPENSSL_NO_TLS1_2
6116 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6118 #ifndef OPENSSL_NO_TLS1_3
6119 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6126 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6128 int setup_tests(void)
6130 if (!TEST_ptr(cert = test_get_argument(0))
6131 || !TEST_ptr(privkey = test_get_argument(1))
6132 || !TEST_ptr(srpvfile = test_get_argument(2))
6133 || !TEST_ptr(tmpfilename = test_get_argument(3)))
6136 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6137 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6138 TEST_error("not supported in this build");
6141 int i, mcount, rcount, fcount;
6143 for (i = 0; i < 4; i++)
6144 test_export_key_mat(i);
6145 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6146 test_printf_stdout("malloc %d realloc %d free %d\n",
6147 mcount, rcount, fcount);
6152 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6153 && !defined(OPENSSL_NO_SOCK)
6154 ADD_TEST(test_ktls_client_server);
6155 ADD_TEST(test_ktls_no_client_server);
6156 ADD_TEST(test_ktls_client_no_server);
6157 ADD_TEST(test_ktls_no_client_no_server);
6159 ADD_TEST(test_large_message_tls);
6160 ADD_TEST(test_large_message_tls_read_ahead);
6161 #ifndef OPENSSL_NO_DTLS
6162 ADD_TEST(test_large_message_dtls);
6164 #ifndef OPENSSL_NO_OCSP
6165 ADD_TEST(test_tlsext_status_type);
6167 ADD_TEST(test_session_with_only_int_cache);
6168 ADD_TEST(test_session_with_only_ext_cache);
6169 ADD_TEST(test_session_with_both_cache);
6170 #ifndef OPENSSL_NO_TLS1_3
6171 ADD_ALL_TESTS(test_stateful_tickets, 3);
6172 ADD_ALL_TESTS(test_stateless_tickets, 3);
6173 ADD_TEST(test_psk_tickets);
6175 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6176 ADD_TEST(test_ssl_bio_pop_next_bio);
6177 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6178 ADD_TEST(test_ssl_bio_change_rbio);
6179 ADD_TEST(test_ssl_bio_change_wbio);
6180 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6181 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6182 ADD_TEST(test_keylog);
6184 #ifndef OPENSSL_NO_TLS1_3
6185 ADD_TEST(test_keylog_no_master_key);
6187 #ifndef OPENSSL_NO_TLS1_2
6188 ADD_TEST(test_client_hello_cb);
6189 ADD_TEST(test_no_ems);
6191 #ifndef OPENSSL_NO_TLS1_3
6192 ADD_ALL_TESTS(test_early_data_read_write, 3);
6194 * We don't do replay tests for external PSK. Replay protection isn't used
6197 ADD_ALL_TESTS(test_early_data_replay, 2);
6198 ADD_ALL_TESTS(test_early_data_skip, 3);
6199 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6200 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6201 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6202 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6203 ADD_ALL_TESTS(test_early_data_psk, 8);
6204 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6205 # ifndef OPENSSL_NO_TLS1_2
6206 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6209 #ifndef OPENSSL_NO_TLS1_3
6210 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6211 ADD_TEST(test_ciphersuite_change);
6212 #ifdef OPENSSL_NO_PSK
6213 ADD_ALL_TESTS(test_tls13_psk, 1);
6215 ADD_ALL_TESTS(test_tls13_psk, 4);
6216 #endif /* OPENSSL_NO_PSK */
6217 ADD_ALL_TESTS(test_custom_exts, 5);
6218 ADD_TEST(test_stateless);
6219 ADD_TEST(test_pha_key_update);
6221 ADD_ALL_TESTS(test_custom_exts, 3);
6223 ADD_ALL_TESTS(test_serverinfo, 8);
6224 ADD_ALL_TESTS(test_export_key_mat, 6);
6225 #ifndef OPENSSL_NO_TLS1_3
6226 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6227 ADD_TEST(test_key_update);
6229 ADD_ALL_TESTS(test_ssl_clear, 2);
6230 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6231 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6232 ADD_ALL_TESTS(test_srp, 6);
6234 ADD_ALL_TESTS(test_info_callback, 6);
6235 ADD_ALL_TESTS(test_ssl_pending, 2);
6236 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6237 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6238 ADD_ALL_TESTS(test_shutdown, 7);
6239 ADD_ALL_TESTS(test_cert_cb, 3);
6240 ADD_ALL_TESTS(test_client_cert_cb, 2);
6241 ADD_ALL_TESTS(test_ca_names, 3);
6245 void cleanup_tests(void)
6247 bio_s_mempacket_test_free();
projects / openssl.git / blob